Tauri 生态系统安全
我们的 Tauri 组织生态系统托管在 GitHub 上,并提供若干功能,以增强我们的代码库在面对针对源代码和发布版本的攻击时的韧性。
🌐 Our Tauri organization ecosystem is hosted on GitHub and facilitates several features to make our repositories more resilient against adversaries targeting our source code and releases.
为了降低风险并遵守普遍采用的最佳实践,我们已经实现了以下方法。
🌐 To reduce risk and to comply with commonly adopted best practices we have the following methods in place.
🌐 Build Pipelines
我们在 GitHub 构建管道中使用 GitHub Actions 高度自动化地发布我们的源代码工件,但仍然需要真实的人启动和审核。
🌐 The process of releasing our source-code artifacts is highly automated in GitHub build pipelines using GitHub actions, yet mandates kickoff and review from real humans.
🌐 Signed Commits
我们的核心代码库要求提交必须签名,以降低冒充的风险,并在检测到可能的安全漏洞后能够识别归属的提交。
🌐 Our core repositores require signed commits to reduce risk of impersonation and to allow identification of attributed commits after detection of possible compromise.
🌐 Code Review
所有合并到我们仓库的拉取请求(PR)都需要至少一名项目维护者的批准,在大多数情况下,这名维护者属于工作组。代码通常在 PR 中进行审查,并运行默认的安全工作流程和检查,以确保代码符合通用标准。
🌐 All Pull Requests (PRs) merged into our repositories need approval from at least one maintainer of the project, which in most cases is the working group. Code is generally reviewed in PRs and default security workflows and checks are run to ensure the code adheres to common standards.
🌐 Release Process
我们的工作组会审查代码更改,为拉取请求标记范围,并确保所有内容保持最新。我们努力在发布小版本和大版本之前,内部审核所有与安全相关的拉取请求。
🌐 Our working group reviews code changes, tags PRs with scope, and makes sure that everything stays up to date. We strive to internally audit all security relevant PRs before publishing minor and major releases.
当需要发布新版本时,其中一位维护者会在 dev 上标记一个新版本,其中:
🌐 And when its time to publish a new version, one of the maintainers tags a new release on dev, which:
- 验证核心
- 运行测试
- 审核板条箱和 npm 的安全性
- 生成变更日志
- 创建工件
- 创建草稿版本
然后维护者审查发行说明,如有必要进行编辑,并伪造新版本。
🌐 Then the maintainer reviews the release notes, edits if necessary, and a new release is forged.
Tauri 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站