gnolang / gno

Gno: An interpreted, stack-based Go virtual machine to build succinct and composable apps + gno.land: a blockchain for timeless code and fair open-source.
https://gno.land/
Other
896 stars 375 forks source link

Extra policies for sensible topics (contributions, reviews, merging) #679

Open moul opened 1 year ago

moul commented 1 year ago

I recently approved a pull request for merging on GitHub without conducting a thorough analysis (#670). However, upon reflection, I realize that this was not the best approach, and I should have taken the time to conduct a more thorough review. Moving forward, I suggest defining additional policies and identifying areas that require extra attention to ensure that we achieve both efficiency and security.

When adding new features or extending the surface of our programs, we need to justify their necessity, and we must ensure that they are future-proof and minimalist. In particular, when working with cryptography, we should perform entropy and security benchmarks and document our findings. I welcome suggestions on the rules that we could add to ensure that we maintain our security standards.

To implement these changes, I propose adding a new label to identify pull requests that require extra attention and updating the CONTRIBUTING.md file. We may also need to reconsider (revert) two recent pull requests and conduct a thorough analysis before merging (#670 and #580).

Edit: related with #687.

grepsuzette commented 1 year ago

Cryptography is both small in terms of volume of code and critical in terms of impact. That being said, it's almost the same about some of our stdlibs or the VM itself for example.

When it comes to those areas we need to:

I think more than 1 label here.

moul commented 1 year ago

CODEOWNERS combined with stronger protected branch configurations enables the creation of designated patterns for sensitive areas, ensuring authorized access and establishing a clear audit trail.

thehowl commented 1 year ago

I'll defend my case on sha256: it is no less secure than std.Hash, it was reviewed and approved (in the scope of Sum256) by Jae and it uses the same calling code as std.Hash.

But with this in mind, I do agree with you and think that we should probably add as a requirement for every PR that:

Additionally, I think that the first reviewer may request either an additional review from another core-tech or from a "security" group of sorts (with you and Jae for now, I would imagine).

PRs touching crypto (-related) directories require automatically a security approval through codeowners I would say.

sbibek086 commented 1 year ago

Yes, I totally agree with @moul . I will have more to say on this on weekend.