top | item 36972263

(no title)

YPCrumble | 2 years ago

People often claim that open source is more secure, which is implied in this release. But the CodeCov breach that leaked any secrets provided to CI/CD pipelines [1] was done via a bash script available to anyone to read the code. The breach wasn't complex at all. It was just that nobody noticed for a long time that the bash uploader script sent all secrets to a random IP address.

It makes me wonder what the benefit really is to being open source. Is it just marketing?

https://about.codecov.io/security-update/

discuss

zeeg|2 years ago

It’s not about security for us, but about accessibility of technology. Open source lifts the barriers on who can use software (eg outside of politics, compliance, etc), and enables knowledge share. It’s - from Sentrys angle - how we enable any developer to take advantage of our technology, hopefully enabling them to solve other problems and grow the industry.

YPCrumble|2 years ago

So cool to see the CTO of Sentry here! This makes some sense to me - I'm actually following an issue with Sentry I had recently and although it's not being fixed anytime soon at least I know the status.

https://github.com/getsentry/sentry-python/issues/370

I'd love to believe that one day someone will crack the nut of "Sentry puts a bounty on this issue and YPCrumble decides to make a PR because it's something he's experiencing AND he'd get some experience working on the Sentry codebase which would be a learning opportunity, and he feels like he's getting paid for his time."

twleo|2 years ago

Open source does not magically make your software more secure. Community needs to audit the code if they are going to use it instead of trusting blindly.