With the goal of keeping this project secure, several measures are taken:
- Good test coverage to prevent bugs.
- Code fuzzed to uncover unexpected bugs.
- Static typing to prevent type-related bugs.
- Tags, releases and packages are always signed.
- No external dependencies to diminish attack surface and risk.
- Safe defaults and secure minimums enforced for sensitive values.
- Analysis of (dev) dependencies for known vulnerabilities using safety and trivy.
- Static analysis of code for common pitfalls and potential vulnerabilities using bandit.
- Build reproducibility thanks to poetry: trusted code -> trusted package (although this may not be too important).
Continuous fuzzing wanted
Fuzzing truly benefits a project when is run continuously, but I can't currently pay for a VPS for this, so I'm looking for ideas on this matter.
External security review¶
This project hasn't been externally audited yet, so this project needs a security review. If you are an expert and can do it, please contact me. The results of said review will be published here.