This commit is contained in:
Paul Miller 2023-10-07 12:39:45 +00:00
parent 8ba25a1c40
commit 911801ec0f
No known key found for this signature in database
GPG Key ID: 697079DA6878B89B

@ -804,6 +804,8 @@ The library has been independently audited:
It is tested against property-based, cross-library and Wycheproof vectors, It is tested against property-based, cross-library and Wycheproof vectors,
and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz). and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz).
If you see anything unusual: investigate and report.
### Constant-timeness ### Constant-timeness
_JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to
@ -818,8 +820,7 @@ Use low-level libraries & languages. Nonetheless we're targetting algorithmic co
* **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. * **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
* **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs * **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
* **Rare releasing** is followed. * **Rare releasing** is followed to ensure less re-audit need for end-users
The less often it is done, the less code dependents would need to audit
* **Dependencies** are minimal: * **Dependencies** are minimal:
- All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff` - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
- Updates themselves are rare, to ensure rogue updates are not catched accidentally - Updates themselves are rare, to ensure rogue updates are not catched accidentally
@ -833,14 +834,11 @@ that's why it's crucial to minimize the amount of 3rd-party dependencies & nativ
If your app uses 500 dependencies, any dep could get hacked and you'll be If your app uses 500 dependencies, any dep could get hacked and you'll be
downloading malware with every install. Our goal is to minimize this attack vector. downloading malware with every install. Our goal is to minimize this attack vector.
If you see anything unusual: investigate and report.
### Randomness ### Randomness
We're deferring to built-in We're deferring to built-in
[crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) [crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
which is considered cryptographically secure (CSPRNG). which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again. In the past, browsers had bugs that made it weak: it may happen again.
## Speed ## Speed