This was triggered by this PR: https://github.com/mimblewimble/grin/pull/3009
When adding canaries, doing it in the SECURITY.MD document itself makes it messy for reviewers to verify, and difficult in general to keep track of historical canaries. It’s preferred to keep the canaries as
.txt files, but it doesn’t make sense to do that in the node repo.
A dedicated repo makes it easier for us to keep security related data in one place. Right now for example our libsecp audit is stored under /site/audits which probably doesn’t make a lot of sense.
Proposed contents of /grin-security
- audit reports
- pgp keys
- CVE incident details
We’d probably keep SECURITY.md in the
/grin repo as is, in order to take advantage of the GitHub feature of displaying the info to users when opening an issue. But we’d link to it from the security repo and from grin-wallet as well, and anywhere else it is relevant.
An example of a security repo used in other projects is https://github.com/QubesOS/qubes-secpack
Feedback, questions suggestions
Please raise in thread.