Defining a security policy

[ftomassetti]

In the discussion on obfuscation (#38) some security concerns came up.

It could make sense to provide guidance to the users to avoid giving them a false sense of security (as suggested by @enikao ).

My suggestion is to:

1. Indicate in the documentation that, while we provide an obfuscation mechanism, this should not be regarded as a way to make the application completely safe. We should indicate instead our recommended way to handle security
2. Output some message when obfuscation through the token is set, indicating that in some circumstances, this should not be enough and suggesting to look into the documentation for alternatives

As for the suggested method to handle security, we could suggest to use an authentication proxy in front of the lionweb repository. I would go as far as identifying a suggested one and provide a simple example on how to configure it. While this may need a little bit of work, that would far less work that implementing something in the LionWeb Repository itself.

What do you think?

[dslmeinte]

Let's do as much of this – especially where it's “just” documenting – as soon as possible.

[joswarmer]

A simple example of a security mechanism (outside of the repository) would be great.

[dslmeinte]

CRA links (to think about, and discuss):

• https://securityintelligence.com/news/cyber-resilience-act-open-source/
• https://linuxfoundation.eu/cyber-resilience-act
• https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/