hngopher.com

       [HN Gopher] Non-technical security best-practices for open sourc...
       ___________________________________________________________________
        
       Non-technical security best-practices for open source projects
        
       Author : zdw
       Score  : 57 points
       Date   : 2021-06-04 04:46 UTC (1 days ago)
        
 (HTM) web link (git.sr.ht)
 (TXT) w3m dump (git.sr.ht)
        
       | vegetablepotpie wrote:
       | My summary
       | 
       | 1. Make bug reporting easy with an obvious place to report
       | 
       | 2. Do not change interfaces between versions because users will
       | hesitate to upgrade to get security patches.
       | 
       | 3. For libraries, maintain security fixes for older versions,
       | provide clear documentation so that users can upgrade to newer
       | versions.
       | 
       | 4. For applications, either change slowly or make a compelling
       | case for change.
        
         | marcosdumay wrote:
         | And there are those two links, that are very good:
         | 
         | https://ozlabs.org/~rusty/index.cgi/tech/2008-03-30.html
         | 
         | https://ozlabs.org/~rusty/index.cgi/tech/2008-04-01.html
        
         | ocdtrekkie wrote:
         | I feel so many companies, especially of operating systems and
         | web browsers, need to understand point 2.
        
       | mfontani wrote:
       | The actual slides (as PDF):
       | https://git.sr.ht/~gregkh/presentation-non-tech-security/blo...
        
       | Jtsummers wrote:
       | @dang:
       | 
       | Since GitHub submissions were altered to show more of the URL
       | (enough to show user/team/organization name), could the same be
       | done with other repository hosts like sr.ht?
        
         | vlmutolo wrote:
         | I wonder if the right approach here is for HN to just use the
         | public suffix list [0], and then sites like SourceHut should be
         | added to it.
         | 
         | [0] https://publicsuffix.org/
        
           | Jtsummers wrote:
           | Looking at that, it would work (to the extent the list is
           | complete) for things like GitHub pages (at github.io, like
           | foo.github.io) but it doesn't work for GitHub user pages and
           | repositories like github.com/foo or github.com/foo/bar. If
           | the URL included a ~ like old school user sites then it could
           | be automatically detectable (assuming others don't randomly
           | throw a ~ in to their paths) like our university websites
           | back in the day with foo.edu/~bar or math.foo.edu/~bar. Of
           | course, now you've got sites using @ (Replit) instead of ~ to
           | indicate a similar notion (that it's a user page and not,
           | properly, the work of the main server hosts/owners), and
           | GitHub and others don't include any kind of sigil providing
           | this kind of information.
        
       | Aeolun wrote:
       | The mobile UI for sr.ht is pretty impenetrable. Navigation links
       | look exactly like unclickable text...
        
       ___________________________________________________________________
       (page generated 2021-06-05 23:00 UTC)