Announcing the /grin-security repo

Following discussion with @joltz and the core team, a new repository has been created, focused on security: https://github.com/mimblewimble/grin-security

Motivation

This was triggered by this PR: https://github.com/mimblewimble/grin/pull/3009

When adding canaries, doing it in the SECURITY.MD document itself makes it messy for reviewers to verify, and difficult in general to keep track of historical canaries. It’s preferred to keep the canaries as .txt files, but it doesn’t make sense to do that in the node repo.

A dedicated repo makes it easier for us to keep security related data in one place. Right now for example our libsecp audit is stored under /site/audits which probably doesn’t make a lot of sense.

Proposed contents of /grin-security

  • audit reports
  • canaries
  • pgp keys
  • CVE incident details

We’d probably keep SECURITY.md in the /grin repo as is, in order to take advantage of the GitHub feature of displaying the info to users when opening an issue. But we’d link to it from the security repo and from grin-wallet as well, and anywhere else it is relevant.

Prior art

An example of a security repo used in other projects is https://github.com/QubesOS/qubes-secpack

Feedback, questions suggestions

Please raise in thread.

5 Likes