New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SEC] potential security issue related to GitHub CI servers? #6406
Comments
GitHub support reply on the second issue (blocklist)
No clear "next step" or instructions how to resolve were given so far. |
Related: pypa/pip#12680 It doesn't seem like something we should be worried about. |
On second thoughts, we should keep an eye out, just in case (I'm looking at you xz) |
I think our problem is not an instance of this - the hashes in the error logs are very different, not just lower/uppercase variants. |
Reply from GitHub support: Please rest assured that this has not been a widespread issue impacting GitHub services or resources. Nevertheless, while this has not been a widespread issue, we have communicated this with AVG directly. But with respect to next steps regarding the blacklisted log URL, the only other thing we can advise right now is that you send your feedback to AVG to notify them of the false positive too. And on the topic of the more recent issue regarding the package SHAs: This doesn't appear to be related to AVG's blacklisting; instead, it's likely related to some kind of build, deployment, or CICD workflow process expecting one version of a dependency that's pinned to a particular commit, but receiving a different one. Do you happen to be using a The reason I ask is because this error is typically seen when using Python's pip package manager with a requirements file that includes hashes for each package. The hash is a way to verify the integrity of the downloaded package, ensuring it has not been tampered with. The error message is suggests that the hash of the downloaded package does not match the expected hash listed in the requirements file. This could be due to:
To update the hashes in your requirements file, you can use the pip freeze command to get the current versions and hashes of your installed packages, and then update your requirements file with this information. But please also note that this will overwrite your current requirements file, including any packages you've installed that are not in your requirements file. |
My analysis of this is:
I will follow up. |
My reply to GH support:
|
There have been multiple strange occurrences around GitHub CI servers that may be security related:
These also do not always seem to be the same packages, or same sha.
I also wonder whether the two are correlated.
What is going on here? I really hope Microsoft don't have hackers in there...
The text was updated successfully, but these errors were encountered: