4765752ee3
This commit introduces several improvements to the macOS update process, primarily focusing on enhancing security and reliability: - Add data integrity checks to ensure downloaded updates haven't been tampered with. - Optimize update progress logging in `streamWithProgress` by limiting amount of logs during the download process. - Improve resource management by ensuring proper closure of file read/write streams. - Add retry logic with exponential back-off during file access to handle occassionally seen file system preparation delays on macOS. - Improve decision-making based on user responses. - Improve clarity and informativeness of log messages. - Update error dialogs for better user guidance when updates fail to download, unexpected errors occur or the installer can't be opened. - Add handling for unexpected errors during the update process. - Move to asynchronous functions for more efficient operation. - Move to scoped imports for better code clarity. - Update `Readable` stream type to a more modern variant in Node. - Refactor `ManualUpdater` for improved separation of concerns. - Document the secure update process, and log directory locations. - Rename files to more accurately reflect their purpose. - Add `.DS_Store` in `.gitignore` to avoid unintended files in commits.
44 lines
2.3 KiB
Markdown
44 lines
2.3 KiB
Markdown
# Security Policy
|
|
|
|
Security is a top priority at privacy.sexy.
|
|
Please report any discovered vulnerabilities responsibly.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Efforts to responsibly disclose findings are greatly appreciated. To report a security vulnerability, follow these steps:
|
|
|
|
- For general vulnerabilities, [open an issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose) using the bug report template.
|
|
- For sensitive matters, [contact the developer directly](https://undergroundwires.dev).
|
|
|
|
## Security Report Handling
|
|
|
|
Upon receiving a security report, the process involves:
|
|
|
|
- Confirming the report and identifying affected components.
|
|
- Assessing the impact and severity of the issue.
|
|
- Fixing the vulnerability and planning a release to address it.
|
|
- Keeping the reporter informed about progress.
|
|
|
|
## Security Practices
|
|
|
|
### Update Security and Integrity
|
|
|
|
privacy.sexy benefits from automated update processes including security tests. Automated deployments from source code ensure immediate and secure updates, mirroring the latest source code. This aligns the deployed application with the expected source code, enhancing transparency and trust. For more details, see [CI/CD Documentation](./docs/ci-cd.md).
|
|
|
|
Every desktop update undergoes a thorough verification process. Updates are cryptographically signed to ensure authenticity and integrity, preventing tampered versions from reaching your device. Version checks are conducted to prevent downgrade attacks.
|
|
|
|
### Testing
|
|
|
|
privacy.sexy employs a comprehensive testing strategy that integrates extensive automated testing with manual community-driven tests.
|
|
Details on testing practices are available in the [Testing Documentation](./docs/tests.md).
|
|
|
|
## Support
|
|
|
|
For help or any questions, [submit a GitHub issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose). Addressing security concerns is a priority, and we ensure the necessary support.
|
|
|
|
Support privacy.sexy's commitment to security by [making a donation ❤️](https://github.com/sponsors/undergroundwires). Your contributions aid in maintaining and enhancing the project's security features.
|
|
|
|
---
|
|
|
|
Active contribution to the safety and security of privacy.sexy is thanked. This collaborative effort keeps the project resilient and trustworthy for all.
|