Codecov's recent security breach[1] wasn't noticed for three months, and was caught by someone checking the shasum[2]. While it's best practice to validate the checksum on every download yourself, people obviously aren't doing that.
I made a small website where you can see that at least someone is checking these things: https://www.hecksum.com/. It's a rushed-out-the door MVP. There are only two projects supported, and it uses Airtable as a datastore and frontend. But I shipped, so that's cool.
If you want to contribute, the most valuable thing would be pointing me towards projects you want to see[3]. It's up on GitHub[4] if you want to contribute code.
There are a ton more features to add, like making it easier for people to verify the sha themselves. Interested to hear any thoughts.
1 comment
[ 2.3 ms ] story [ 15.5 ms ] threadI made a small website where you can see that at least someone is checking these things: https://www.hecksum.com/. It's a rushed-out-the door MVP. There are only two projects supported, and it uses Airtable as a datastore and frontend. But I shipped, so that's cool.
If you want to contribute, the most valuable thing would be pointing me towards projects you want to see[3]. It's up on GitHub[4] if you want to contribute code.
There are a ton more features to add, like making it easier for people to verify the sha themselves. Interested to hear any thoughts.
[1]https://about.codecov.io/security-update/ [2]https://news.ycombinator.com/item?id=26820145 [3]https://airtable.com/shr5gJ8tLGmqoBEem [4]https://github.com/hecksum