[Cryptography-dev] codecov security incident

[Alex Gaynor]

This morning codecov disclosed a security incident:

https://about.codecov.io/security-update/

This incident allowed an attacker to run code in environments that use
codecov
for uploading coverage. Since the Python Cryptographic Authority uses
codecov
across our projects for tracking coverage, we wanted to provide an update on
how we were impacted by this incident.

tl;dr; we're not impacted

We use codecov across many many testing jobs. However, none of these jobs
contain access to any secrets or tokens or any sort. Further, we do not not
use
codecov in any jobs that generate release artifacts (e.g. built wheels).
Because
our CI infrastructure relies on ephemeral environments; jobs are isolated
from
each other -- gaining access to a job that runs tests cannot be pivoted to
access to a job that generates a release wheel. 100% of our source code is
open
source, including all release infrastructure, so there was no source code to
steal.

The fact that we were not impacted reflects deliberate decisions to minimize
the attack surface of the parts of our release infrastructure that could
impact
the integrity of our artifacts.

Nevertheless, we are going to be investigating whether there exist good
alternatives to codecov -- this reflects not just this security incident,
but
also a long running pattern of instability in codecov's service. Our
constraints are our coverage infrastructure needs to be able to merge
coverage
results from multiple jobs and languages and compute aggregate coverage and
reports and it needs to be highly reliable. We encourage folks to send
recommendations our way.

Regards,
Alex & Paul

-- 
All that is necessary for evil to succeed is for good people to do nothing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20210415/13f247f6/attachment-0001.html>