dcwalk
commented
7 years ago @b5 did you ever connect with @zsck about this? Thoughts on how to proceed are welcome.
Closed kmcculloch closed 7 years ago
dcwalk
commented
7 years ago @b5 did you ever connect with @zsck about this? Thoughts on how to proceed are welcome.
arcrose
commented
7 years ago I'm happy to help with this. My buddy Michael who was with me at last Tuesday's meeting is also interested in contributing to a security review.
Some things we can do to help:
Are the contents of this repository the only one we're looking to review right now? Are there any documents we should read before starting? Could somebody identify the parts of the application that deserve the highest priority in a review?
Answers to these questions will help to get the process started, along with any other advice we can get about using, setting up, and navigating the application.
dcwalk
commented
7 years ago I think this is our priority for security, so the Archivers App code base including deployment config/scripts. Maybe @kmcculloch and @b5 could coordinate with @zsck (and Michael), how to proceed?
Happy to help facilitate that, it seems like coming out of a review some other issues would be touched on/addressed: #52, #51, #10, #2, #1 and some decisions RE: documentation on deployment, etc... could occur?
At some point we have bigger security questions (see: https://github.com/edgi-govdata-archiving/overview/issues/50), but I think a run through of a scoped project would be a great first start.
dcwalk
commented
7 years ago Per our meeting on Thurs, Mar 9 we have a plan to open the code!
Roadmap to opening Archivers App, target date of Friday March 17:
titaniumbones
commented
7 years ago Amazing! Great work!
On March 9, 2017 8:50:07 PM EST, dcwalk notifications@github.com wrote:
Per our meeting on Thurs, Mar 9 we have a plan to open the code!
Roadmap to opening Archivers App, target date of Friday March 17:
- code cleanup/linting complete
- integration of security middleware into dev process per @zsck’s recommendation
- Add middleware recommendations to org-wide project guidelines
- identify areas of codebase that are of concern and open issues (e.g. memory usage, imports api)
- address https redirect and ensure CORS handling okay
- throw a license on the code
-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/edgi-govdata-archiving/archivers.space/issues/47#issuecomment-285549233
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
dcwalk
commented
7 years ago @b5 and @zsck can we get an update on this? Anything I can help move forward? Are we still on track for a Friday launch?
b5
commented
7 years ago We're still on track to open it up this week. I'm in meetings for the rest of the day, but should be able to hit publish sometime this evening
b5
commented
7 years ago Ok update on this: @zsck suggested some fantastic resources for checking security:
We should definitely get the eslint-security plugin up & running, and save Helmet & NSP for an our new app that'll have an express server involved. As for this app, meteor publishes a solid security checklist. That Checklist for us:
I'll do what I can to work through this list ASAP, with a goal of being done this evening.
titaniumbones
commented
7 years ago @b5 that's really helpful thank you!
b5
commented
7 years ago Alright team, @kmcculloch & I have gone through the whole list, and I'm feeling confident that we've done our due-dilligence in securing the app. The only outstanding task is adding specific filters to selector fields, which I'm going to create a new issue for. So with that, I think it's finally time to Open this thing up. Thank you so much to everyone who worked hard to get this thing out in the open where it belongs. Y'all know who you are ;)
Need to work out a security review process in advance of releasing the code (or decide never to do it). I know nothing as yet about the meteor community so I don't know what resources there are for this.