security policy publication for open-source projects?
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
security policy publication for open-source projects?
I formulated an extensive security policy for a new project of mine which I will be releasing under GPL. Although the code will be open-source, the built-in security will not be readily apparent in the code no matter how well I comment it. Is it a bad idea to make my security policies public? I won't necessarily put line numbers and source files in the reference, but I would like the general foundation to be public to assure users that the application will be safe to run on their system. What is the standard level of security publication for an open-source project? Thanks.
ta0kira
Security policies and techniques should work equally well whether they are known or not. If security policies are dependent on being hidden then the vulnerability would become apparent when someone figures out what you have done to secure the system.
I wrote the policy with publication in mind, and the main reason I'd publish it is to assure users that I've taken certain measures that they might wonder about. I intend for the policy to be as open-source as the software, but was not sure if there was a line which should not be crossed. I'd also like expert opinions to help make it more secure. The project is under development and should be ready for alpha this month sometime, so I'd like to decide what level of detail I should go into with the security explanation. I think I'll write up a web page tonight and see what I have as a start. Thanks.
ta0kira
Stress_junkie is absolutely correct. And nobody has made this point more often, or more convincingly, than Bruce Schneier. I definitely urge you to read his classic "Secrets and Lies" (assuming you don't already have it on your bookshelf), or check out this article:
I was leaning in that direction, I just wanted to make sure. Here it is, although it doesn't make a lot of sense out of context. I haven't released any code yet but I plan to in the next 2 months. Thanks for the advice. Resourcerver Security Policy
Keeping your security "secret" won't add any security. If I understand your question correctly, you just want to know if there are any unexpected consequences lurking if you publish? The only consequence I can think of is that the rest of the open-source world has a good example of secure programming - not too bad. Please do publish if you'd like to.
Yes, I was worried about something unexpected, but I agree that they can't be much worse than those already invited by going open-source in the first place. Please see the link in my previous post. Thanks.
ta0kira
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
