3

We're a grew guys developing an application that requires a server to orchestrate everything. We'd like to make everything within this project open source. Does anyone have any experience with open sourcing server side code which will interface with OAuth APIs and what not? How do you go about managing deploys? I'm mostly concerned with security here.

Comments
  • 1
    I suppose it depends where you host it?
    We host ours on GitHub and people can fork or clone but any change to the master branch has to be via pull request that only we can approve.
    We've also set our CI up so that it doesn't run on PR raise (as we normally do) but only on merge so we make sure tests, etc. pass locally before approving anything.
  • 1
    @dan-pud For good measure, you might also want to sign release commits.
  • 2
    Make sure all the secrets (passwords, salts, API keys) are using environment variables. This is the most common security breach in open source backend software.
  • 1
    @dan-pud That sounds like a good strategy. I hadn't though of restricting PRs as being a barrier.

    @Lor-inc Signing sounds like a good idea in general. Were you thinking those commits would be checked in CI?
  • 1
    @Lor-inc I'm also interested in that
  • 0
    @react-guy Absolutely. There no way I'd ever forget that (even though Murphy's Law would dictate I will)
  • 2
    @react-guy @ScriptCoded Yes. Have a release keypair, stored safely in some secure place, that's exclusively used to approve releases and that's checked in CI. This way github bugs can't grant someone prod access.
  • 0
    @Lor-inc Advice taken 🙏
Add Comment