1 comment

[ 2.3 ms ] story [ 15.5 ms ] thread
Codecov's recent security breach[1] wasn't noticed for three months, and was caught by someone checking the shasum[2]. While it's best practice to validate the checksum on every download yourself, people obviously aren't doing that.

I made a small website where you can see that at least someone is checking these things: https://www.hecksum.com/. It's a rushed-out-the door MVP. There are only two projects supported, and it uses Airtable as a datastore and frontend. But I shipped, so that's cool.

If you want to contribute, the most valuable thing would be pointing me towards projects you want to see[3]. It's up on GitHub[4] if you want to contribute code.

There are a ton more features to add, like making it easier for people to verify the sha themselves. Interested to hear any thoughts.

[1]https://about.codecov.io/security-update/ [2]https://news.ycombinator.com/item?id=26820145 [3]https://airtable.com/shr5gJ8tLGmqoBEem [4]https://github.com/hecksum