Codebase list sliver / master CONTRIBUTING.md
master

Tree @master (Download .tar.gz)

CONTRIBUTING.md @master 

75215cb
 
 
 
 
 
 
 
ccd9f7d
75215cb
 
 
 
 
 
55c956c
75215cb
 
 
 
 
 
ccd9f7d
 
75215cb
 
 
 
55c956c
 
75215cb
 
 
 
 
 
 
 
 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Contributing to Sliver
======================

## General

* Contributions to core code must be GPLv3 (but not libraries)
* If you'd like to work on a feature, please open a ticket and assign it to yourself
* Changes should be made in a new branch
* Commits [must be signed](https://docs.github.com/en/github/authenticating-to-github/signing-commits) for any PR to master
* Please provide meaningful commit messages
* Ensure code passes existing unit tests, or provide updated test(s)
* `gofmt` your code
* Any changes to `vendor/` should be in a distinct commit
* Avoid use of `CGO` (limits cross-platform support)
* Avoid use of empty interfaces
* Never import anything from the `server` package in the `client` package.

## Security

* _Never_ trust the user, applied in a common-sense way.
* __Secure by default__, please ensure any contributed code follows this methodology to the best of your ability. It should be difficult to insecurely configure features/servers.
    - It is better to fail securely than operate in an insecure manner.
* _Avoid_ incorporating user controlled values when constructing file/directory paths. Ensure any values that must be incorporated into paths are properly canonicalized.
* _Never_ use homegrown or non-peer reviewed encryption or random number generation algorithms.
* Whenever possible, use the following algorithms/encryption modes:
    - AES-GCM-256
    - SHA2-256 / HMAC-SHA2-256 or higher (e.g. SHA2-384)
    - Curves P521, P384, P256
    - Curve25519, XSalsa20, and Poly1305 (Nacl)
    - ChaCha20Poly1305
* _Never_ use the following in a security context, and _avoid_ use even in a non-security context:
    - MD5
    - SHA1
    - AES-ECB
    - AES-CBC, AES-CTR, etc. -without use case justification
* `math/random` should _always_ be imported as `insecureRand` and _never_ used to generate values related to a security context.
* Always apply the most restrictive file permissions possible.
* Apply obfuscation techniques when possible, but _do not rely upon_ obfuscation for security.