So Google...
would rather break things rather than let them be reduced in importance.
Yet when it came to Android, it's taken a decade for it even start to resemble a OS that doesn't rely on 3rd parties to update.
Google's bug-hunting Project Zero team has posted details of an injection vulnerability in GitHub Actions after refusing a request to postpone disclosure. The issue arises due to the ability to set environment variables that are then parsed for execution by GitHub Actions. According to the Project Zero disclosure: "As the …
Microsoft did the same thing with Windows. Windows 1.0 launched on November 20, 1985 and it took almost a decade until we got to Windows 95, the first time Windows became a real Os and a killer App. And also caused a lot of hardware sales to either upgrade PCs or buy PCs that could run Windows 95.
Let's face it, as nice as Windows 3.1 was, it was still a shell running over Dos, not an operating system on its own.
yes but DEVOOPS!!!#!1111! or as used to be drummed into ops sorts, just because you can doesn't mean you should...
Might be in the minority but i only use GH for versioning, anything CI/CD (CI only really, people who do CD as advertised are a rounding error) runs in house and doesnt support emoji's (honestly last time someone who doesnt know better tried to convince me that github actions and workflows running on others platforms (yet to find a reason why thats better than doing it inhouse) were a good thing it was to show me them receiving notifications and tweet on their phone that a build was failing with the poo emoji, my response was what use is that to you, can you fix your build on your phone, how is that better than the plain text email my build server sends without any 3rd parties involved)
If Google has found the problem you can assume other agencies have as well and are probably already exploiting them. Not publishing the results is really just a courtesy.
The real thing is: how does Google respond in similar situations? Does it take security reports as importantly as it expects others to take its?
Thing is, we all use external dependencies in one way or another. So you have to expect that workflows may break at any time.
Ideally, as long as you have some prior notice and you're paying attention and you have the resources to make the necessary adaptations (or can afford to let it break), this shouldn't catch anyone off guard.
Github really did not want to break user space - right or wrong.
Maybe some of Google's code needs to be looked at a little closer - say their smtp servers or perhaps widevine - just to look and learn the proper way to implement those services.
There is of course a difference between refusal to fix and actual repair work ongoing.
This is the third time they pulled this crap. I'm not familiar with the feature they are talking about, but since this is GitHub, I'm assuming that it's the online component. Maybe GitHub needs more time to sort it out. Google are just being dicks, like usual. What happened to their mantra "Don't be evil." ???
Some vulnerabilities cannot be "fixed" ...... they are important systemic opportunities/abiding future relevant features best embraced and extended and modified, for extinction is neither possible nor adorable and attractive.
That can be a difficult coloured pill to swallow but patients in need of it cannot survive without them being readily available for consumption.
'Tis a Simply Complex Fact of Life .....:-) which some could/may also tell you, based upon their very own intimate personal experiences, is a Fact for Life and even venture further and posit IT a Fact for a Life and Lives in the Afterlife with Other Live Phorms....... but they be few and far between and most unlikely to bother you directly with such an Extreme Meme Stream, resulting as it can do all too easily with one believing it to be too unbelievable to be honestly true and a wonderfully stealthy portal to delights beyond compare.