README: update security section
This commit is contained in:
Paul Miller
parent
df9d461adf
commit
5c477a88fa
30
README.md
30
README.md
|
|
@ -872,30 +872,22 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co
|
|||
|
||||
### Supply chain security
|
||||
|
||||
1. Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
|
||||
2. Releases are [transparently built](https://docs.npmjs.com/generating-provenance-statements)
|
||||
on GitHub CI. Make sure to verify provenance logs.
|
||||
3. Releasing itself is rare, on purpose.
|
||||
The less often package is updated, the less code dependents would need to audit.
|
||||
4. Dependency count is minimal and updates are rare:
|
||||
|
||||
a. All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
|
||||
b. Dependency updates are rare, to ensure rogue updates are not catched accidentally
|
||||
c. One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author,
|
||||
to provide hashing functionality.
|
||||
|
||||
1. **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
|
||||
2. **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
|
||||
3. **Rare releasing** is followed.
|
||||
The less often it is done, the less code dependents would need to audit
|
||||
4. **Dependencies** are minimal:
|
||||
- All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
|
||||
- Updates themselves are rare, to ensure rogue updates are not catched accidentally
|
||||
- One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality
|
||||
5. devDependencies are only used if you want to contribute to the repo. They are disabled for end-users:
|
||||
|
||||
a. scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are
|
||||
developed the same author and follow the same security practices.
|
||||
b. prettier (linter), fast-check (property-based testing) and typescript
|
||||
are used for code quality, vector generation and ts compilation.
|
||||
The packages are big, which makes it hard to audit their source code thoroughly and fully.
|
||||
- scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
|
||||
- prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
|
||||
|
||||
We consider infrastructure attacks like rogue NPM modules very important;
|
||||
that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings.
|
||||
If your app uses 500 dependencies, any dep could get hacked and you'll be
|
||||
downloading malware with every `npm install`. Our goal is to minimize this attack vector.
|
||||
downloading malware with every install. Our goal is to minimize this attack vector.
|
||||
|
||||
If you see anything unusual: investigate and report.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
# Security Policy
|
||||
|
||||
See [README's Security section](./README.md#security) for detailed description of internal security practices.
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported |
|
||||
|
|
|
|||
Loading…
Reference in New Issue