← Back to context

Comment by ants_everywhere

2 months ago

This seems like something that can be solved with reproducible builds and ensuring you only deploy from a CI system that verifies along the way.

In fact this blog post appears to be advertising for a system that secures build pipelines.

Google has written up some about their internal approach here: https://cloud.google.com/docs/security/binary-authorization-...

4 comments

ants_everywhere

Reply
herpdyderp  2 months ago

With repos and workflows being infected, wouldn't a CI-only deploy not help?

  • ants_everywhere  2 months ago

    The malware is modifying files and adding github workflows. If your builds are reproducible and run from committed code then the only way to add the post install script is if the maintainer reviews and accepts the commit that adds it. Similarly with the github workflow branch.

    And if your CI is building and releasing in a sandboxed hermetic environment, then the sandboxes that build and release don't need credentials like AWS_ACCESS_KEY because they can't depend on data from the network. You need credentials for deploying and signing, but they don't need to be present during build time.

    • herpdyderp  2 months ago

      > The malware is modifying files and adding github workflows. If your builds are reproducible and run from committed code

      Exactly: it can simply commit its code and trigger a CI-only GitHub Actions deploy with no input from the maintainer at all.

      1 reply →