README: update security section

This commit is contained in:
Paul Miller 2023-08-29 12:25:58 +00:00
parent df9d461adf
commit 5c477a88fa
No known key found for this signature in database
GPG Key ID: 697079DA6878B89B
2 changed files with 13 additions and 19 deletions

@ -872,30 +872,22 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co
### Supply chain security
1. Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
2. Releases are [transparently built](https://docs.npmjs.com/generating-provenance-statements)
on GitHub CI. Make sure to verify provenance logs.
3. Releasing itself is rare, on purpose.
The less often package is updated, the less code dependents would need to audit.
4. Dependency count is minimal and updates are rare:
a. All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
b. Dependency updates are rare, to ensure rogue updates are not catched accidentally
c. One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author,
to provide hashing functionality.
1. **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
2. **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
3. **Rare releasing** is followed.
The less often it is done, the less code dependents would need to audit
4. **Dependencies** are minimal:
- All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
- Updates themselves are rare, to ensure rogue updates are not catched accidentally
- One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality
5. devDependencies are only used if you want to contribute to the repo. They are disabled for end-users:
a. scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are
developed the same author and follow the same security practices.
b. prettier (linter), fast-check (property-based testing) and typescript
are used for code quality, vector generation and ts compilation.
The packages are big, which makes it hard to audit their source code thoroughly and fully.
- scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
- prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
We consider infrastructure attacks like rogue NPM modules very important;
that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings.
If your app uses 500 dependencies, any dep could get hacked and you'll be
downloading malware with every `npm install`. Our goal is to minimize this attack vector.
downloading malware with every install. Our goal is to minimize this attack vector.
If you see anything unusual: investigate and report.

@ -1,5 +1,7 @@
# Security Policy
See [README's Security section](./README.md#security) for detailed description of internal security practices.
## Supported Versions
| Version | Supported |