danieleformichelli
commented
2 years ago We are already doing it in our CI, I don't think we need to do anything on the Tuist side
Closed pepicrft closed 2 years ago
danieleformichelli
commented
2 years ago We are already doing it in our CI, I don't think we need to do anything on the Tuist side
Context 🕵️♀️
Codecov had a security incident recently that caused environments to run a hacker's bash uploader and report sensitive information to the hacker.
What 🌱
The approach our uses follow on CI for running Tuist is vulnerable to this types of hacks and therefore I think we should add some safeguards to prevent something like this from happening. Like Rails does, each release could include a checksum that we can validate when installing Tuist in a CI environment.