This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Code coverage on the CI: validate codecov shell script checksum
Type: Stage: resolved
Components: Tests Versions: Python 3.10
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: ammar2, ned.deily, vstinner
Priority: normal Keywords:

Created on 2021-04-29 23:36 by vstinner, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg392362 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-04-29 23:36
Currently, GitHub Action and Travis CI run a codecov bash downloaded from without validating it.

The script was recently compromised:

We should validate the shell script integrity by checking its checksum. Example from the documentation:
curl -s > codecov;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
  shasum -a $i -c --ignore-missing <(curl -s "${VERSION}/SHA${i}SUM") ||
  shasum -a $i -c <(curl -s "${VERSION}/SHA${i}SUM")

msg392363 - (view) Author: Ammar Askar (ammar2) * (Python committer) Date: 2021-04-29 23:42
See also where we're proposing just removing the coverage build altogether.
msg392366 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-04-30 00:10
I agree that we should just remove the code coverage runs rather than trying to improve their security. It seems to me to be rude of us to use so much of the open source build resources for an activity that appears to have little benefit.
msg392529 - (view) Author: Ammar Askar (ammar2) * (Python committer) Date: 2021-04-30 22:43
With issue43888 being fixed with the removal of the coverage build, this is now obsolete. Thanks for pointing out the codecov breach, we will make sure to follow this if we ever re-add codecov.
Date User Action Args
2022-04-11 14:59:44adminsetgithub: 88148
2021-04-30 22:43:36ammar2setstatus: open -> closed
resolution: out of date
messages: + msg392529

stage: resolved
2021-04-30 00:10:44ned.deilysetnosy: + ned.deily
messages: + msg392366
2021-04-29 23:42:57ammar2setnosy: + ammar2
messages: + msg392363
2021-04-29 23:36:48vstinnercreate