Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safety check release bug #1200

Closed
dokazhi opened this issue Aug 2, 2021 · 2 comments
Closed

Safety check release bug #1200

dokazhi opened this issue Aug 2, 2021 · 2 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists

Comments

@dokazhi
Copy link

dokazhi commented Aug 2, 2021

Describe the bug
Safety check says 6.0b1 is more secure version
image

To Reproduce
How can we reproduce the problem? Please be specific. Don't just link to a failing CI job. Answer the questions below:

  1. What version of Python are you using?
  2. What version of coverage.py are you using? The output of coverage debug sys is helpful.
  3. What versions of what packages do you have installed? The output of pip freeze is helpful.
  4. What code are you running? Give us a specific commit of a specific repo that we can check out.
  5. What commands did you run?

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.
@dokazhi dokazhi added the bug Something isn't working label Aug 2, 2021
@danuker
Copy link

danuker commented Aug 2, 2021
edited
Loading

As you can see, version 6.0b1 is the latest released right now, so if you want security to stop complaining, you should perhaps update.

Alternatively, you can ignore this issue with -i 41002 as arguments for safety, if your organization does not see coverage using MD5 as a risk (which I doubt it does, unless you need to be blindly FIPS compliant like the guy that asked for this change here).

Personally, I think this is a bug in safety, because I don't see how the coverage tool could be tricked with a hash collision into exploiting any system.
Edit: it seems somebody else agrees.

@nedbat
Copy link
Owner

nedbat commented Aug 2, 2021

This is a duplicate of #1198.

@nedbat nedbat closed this as completed Aug 2, 2021
@nedbat nedbat added the duplicate This issue or pull request already exists label Aug 2, 2021
@symphony-youri symphony-youri mentioned this issue Aug 3, 2021
Merged
CaptainAchab pushed a commit to TankerHQ/sdk-python that referenced this issue Aug 5, 2021
chore: ignore safety check on coverage
5476704 
Until coverage package has a stable 6.0 release.
nedbat/coveragepy#1200
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nedbat @danuker @dokazhi