TAURI FEATURE FREEZE AND SECURITY AUDIT

Security Audit Begins
Code Freeze In Place

next Branch in Progress

At a certain point in the lifecycle of software, you have to just stop and smell the roses. Or in this case, hunt for code smell. And that is what the Tauri team is doing. We will n…


This content originally appeared on DEV Community and was authored by Daniel Thompson-Yvetot

  • Security Audit Begins
  • Code Freeze In Place
  • next Branch in Progress

At a certain point in the lifecycle of software, you have to just stop and smell the roses. Or in this case, hunt for code smell. And that is what the Tauri team is doing. We will no longer be accepting any feature requests for the forthcoming 1.0 and only accepting bug reports. All new features will then be addressed in the next branch.

Why would we do this, you might be asking yourself. Well, before we can declare Tauri safe to use, we need to put it through the proverbial ringer - and gain confidence that it is not only architected properly, but also that common attack vectors are mitigated against and boundaries are protected.

After you've been spending years in the forest of your project, it is obvious that you might not see all the trees - or even its place in the greater ecosystem.

To this end, we are pleased to announce that the Tauri Programme within the Commons Conservancy has teamed up with the non-profit group of penetration testing experts at Radically Open Security to help us gain not only deeper insight into the entire project, but also acquire the confidence we need to recommend using Tauri in production.

The Audit consists of both a horizontal and vertical investigation. The horizontal audit will look into all of the crates and libraries that compose Tauri, as well as its tooling and pipelines. The vertical audit will investigate an example application (our examples/api app) on all three platforms to verify that it is safe to use and our security posture is both appropriate and safe.

At the conclusion of the audit, we will publish the findings and lock our 1.0 release to maintenance such as dependency updates and urgent fixes in case bugs are found. As mentioned above, all further work on new features like mobile and additional API's will be undertaken in the @next branch which will graduate to 2.0 upon its completed audit.

One last word of caution: Security audits are a regular practice of due diligence and they are not guarantees that everything is safe. Your app's security will have as much (if not more) to do with your coding practices than with Tauri's underlying security. If you are doing anything with private data or using cryptography, you would do well to have your project audited as well.

Disclaimer: It is important to understand the limits of the
Tauri team and Radically Open Security's services. The Tauri
team and Radically Open Security do not (and cannot) give
guarantees that something is secure. It remains the
responsibility of downstream engineers to ensure the 
security of the(ir) projects that use Tauri.

ROS


This content originally appeared on DEV Community and was authored by Daniel Thompson-Yvetot


Print Share Comment Cite Upload Translate Updates
APA

Daniel Thompson-Yvetot | Sciencx (2021-08-24T07:53:49+00:00) TAURI FEATURE FREEZE AND SECURITY AUDIT. Retrieved from https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/

MLA
" » TAURI FEATURE FREEZE AND SECURITY AUDIT." Daniel Thompson-Yvetot | Sciencx - Tuesday August 24, 2021, https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/
HARVARD
Daniel Thompson-Yvetot | Sciencx Tuesday August 24, 2021 » TAURI FEATURE FREEZE AND SECURITY AUDIT., viewed ,<https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/>
VANCOUVER
Daniel Thompson-Yvetot | Sciencx - » TAURI FEATURE FREEZE AND SECURITY AUDIT. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/
CHICAGO
" » TAURI FEATURE FREEZE AND SECURITY AUDIT." Daniel Thompson-Yvetot | Sciencx - Accessed . https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/
IEEE
" » TAURI FEATURE FREEZE AND SECURITY AUDIT." Daniel Thompson-Yvetot | Sciencx [Online]. Available: https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/. [Accessed: ]
rf:citation
» TAURI FEATURE FREEZE AND SECURITY AUDIT | Daniel Thompson-Yvetot | Sciencx | https://www.scien.cx/2021/08/24/tauri-feature-freeze-and-security-audit/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.