[HN Gopher] Non-technical security best-practices for open sourc... ___________________________________________________________________ Non-technical security best-practices for open source projects Author : zdw Score : 57 points Date : 2021-06-04 04:46 UTC (1 days ago) (HTM) web link (git.sr.ht) (TXT) w3m dump (git.sr.ht) | vegetablepotpie wrote: | My summary | | 1. Make bug reporting easy with an obvious place to report | | 2. Do not change interfaces between versions because users will | hesitate to upgrade to get security patches. | | 3. For libraries, maintain security fixes for older versions, | provide clear documentation so that users can upgrade to newer | versions. | | 4. For applications, either change slowly or make a compelling | case for change. | marcosdumay wrote: | And there are those two links, that are very good: | | https://ozlabs.org/~rusty/index.cgi/tech/2008-03-30.html | | https://ozlabs.org/~rusty/index.cgi/tech/2008-04-01.html | ocdtrekkie wrote: | I feel so many companies, especially of operating systems and | web browsers, need to understand point 2. | mfontani wrote: | The actual slides (as PDF): | https://git.sr.ht/~gregkh/presentation-non-tech-security/blo... | Jtsummers wrote: | @dang: | | Since GitHub submissions were altered to show more of the URL | (enough to show user/team/organization name), could the same be | done with other repository hosts like sr.ht? | vlmutolo wrote: | I wonder if the right approach here is for HN to just use the | public suffix list [0], and then sites like SourceHut should be | added to it. | | [0] https://publicsuffix.org/ | Jtsummers wrote: | Looking at that, it would work (to the extent the list is | complete) for things like GitHub pages (at github.io, like | foo.github.io) but it doesn't work for GitHub user pages and | repositories like github.com/foo or github.com/foo/bar. If | the URL included a ~ like old school user sites then it could | be automatically detectable (assuming others don't randomly | throw a ~ in to their paths) like our university websites | back in the day with foo.edu/~bar or math.foo.edu/~bar. Of | course, now you've got sites using @ (Replit) instead of ~ to | indicate a similar notion (that it's a user page and not, | properly, the work of the main server hosts/owners), and | GitHub and others don't include any kind of sigil providing | this kind of information. | Aeolun wrote: | The mobile UI for sr.ht is pretty impenetrable. Navigation links | look exactly like unclickable text... ___________________________________________________________________ (page generated 2021-06-05 23:00 UTC)