PyTorch logo
Munguva pfupi smashoko pamusoro pekurwiswa akaburitswa kuti zvivakwa zvakashandiswa mukuvandudza kwemuchina kudzidza chimiro zvakatambura PyTorch. Pakati pezvinhu zvehunyanzvi zvakaburitswa, zvinotaurwa izvozvo Murwi akakwanisa kuburitsa makiyi ekupinda iyo yakakubvumidza iwe kuisa dhata rekupokana muGitHub neAWS repository, kutsiva kodhi mushe bazi reiyo repository, uye wedzera backdoor kuburikidza nekutsamira.
Chiitiko ichi kunounza njodzi huru, sezvo spoofing yePyTorch shanduro inogona kushandiswa kurwisa makambani makuru akadai seGoogle, Meta, Boeing uye Lockheed Martin, anoshandisa PyTorch mumapurojekiti avo.
Mwedzi mina yadarika, Adnan Khan neni takashandisa njodzi yakaoma yeCI/CD muPyTorch, imwe yemapuratifomu emuchina anotungamira pasi rose. Inoshandiswa nematitans akaita seGoogle, Meta, Boeing, uye Lockheed Martin, PyTorch ndiyo inonyanya kunangwa yevanoba uye nyika-nyika zvakafanana.
Sezvineiwo, takatora mukana wekusagadzikana uku vanhu vakaipa vasati vaita.
Izvi ndizvo zvatakaita.
Nezvekurwiswa, zvinonzi izvi Inouya pasi pakukwanisa kumhanya kodhi pane inoenderera mberi yekubatanidza maseva iyo inoita kuvakazve uye inomhanyisa mabasa kuyedza shanduko nyowani dzakasundirwa kune repository. Iyo nyaya inobata mapurojekiti anoshandisa ekunze "Self-Hosted Runner" madhiraivha neGitHub Zviito. Kusiyana neyakajairwa GitHub Zviito, vanozvimiririra vanodzora havamhanye paGitHub zvivakwa, asi pamaseva avo kana pamashini chaiwo anochengetwa nevagadziri.
Kumhanya kuvaka mabasa pamaseva ako kunobvumidza iwe kuronga kuburitswa kwekodhi iyo inogona kutarisisa network yemukati yekambani, tsvaga iyo FS yemuno makiyi encryption makiyi ekuwana uye tokens yekuwana, uye ongorora machinjiro ezvakatipoteredza nemaparamita kuti uwane ekunze kuchengetedza kana gore masevhisi uye neizvi, kuburikidza nevatyairi ava, murwi akakwanisa kuita mabasa ekubatanidza pamaseva avo, izvo zvakavabvumira kuongorora network yemukati yekambani kutsvaga makiyi ekunyorera uye tokens dzekuwana.
MuPyTorch nemamwe mapurojekiti anoshandisa Self-Hosted Runner, ari Vagadziri vanogona kumhanyisa kuvaka mabasan chete mushure mekunge shanduko dzako dzaongororwa. Zvisinei, murwi akakwanisa kunzvenga gadziriro iyi nekutanga kutumira shanduko diki uyezve, kamwe yakagamuchirwa, otomatiki akawana chimiro che "mubatsiri" iyo yakakubvumidza kuti umhanye kodhi mune chero GitHub Zviito Runner nharaunda yakabatana neiyo repository kana inotarisira sangano. Munguva yekurwiswa, makiyi eGitHub ekuwana uye makiyi eAWS akabatwa, zvichibvumira anorwisa kukanganisa zvivakwa.
Iyo yekubatanidza kune "mubatsiri" mamiriro yakave nyore kunzvenga: zvakakwana kuti utange kuendesa shanduko diki uye kumirira kuti igamuchirwe muiyo kodhi base, mushure mezvo mugadziri anogamuchira otomatiki chimiro chemutori anoshanda. ane zvikumbiro zvekudhonza zvinogona kuyedzwa muCI zvivakwa pasina kupatsanurwa kwechokwadi. Kuti uwane chimiro chemugadziri anoshanda, kuyedza kwaisanganisira shanduko diki dzekushongedza kugadzirisa typos muzvinyorwa. Kuti uwane mukana kune repository uye chengetedzo yePyTorch shanduro, panguva yekurwiswa paunenge uchiita kodhi mu "Self-Hosted Runner", iyo GitHub tokeni yakashandiswa kuwana repository kubva kune ekuvaka maitiro akabvumwa (GITHUB_TOKEN yakabvumidzwa kunyora kupinda ), zvakare. semakiyi eAWS anobatanidzwa mukuchengetedza mhedzisiro yekuvaka.
Saka nekudaro, zvinotaurwa izvo iyi nyaya haina kunangana nePyTorch uye inobata mamwe mapurojekiti makuru iyo inoshandisa zvigadziriso zve "Self-Hosted Runner" muGitHub Zviito.
Pamusoro pezvo, mukana wekurwiswa kwakafanana pa cryptocurrency, blockchain, Microsoft Deepspeed, TensorFlow uye mamwe mapurojekiti ataurwa, aine mhedzisiro yakaipa. Vatsvagiri vakaendesa zvinopfuura makumi maviri zvikumbiro kune bug bounty zvirongwa, vachitsvaga mibairo inokosha mazana ezviuru zvemadhora.
pakupedzisira kana uri kufarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.