Need ideas on ensuring security

[HACKERALERT]

Now that we will start accepting contributors, we need to ensure the security of the repository. I've done the basics like enforcing 2FA for all Picocrypt organization members and requiring 3 reviews before a PR can be merged. I'm also thinking about creating a policy for letting new members get write/member access to the repos. Something along the lines of...

• All members with write access must have 2FA (strictly TOTP/U2F) enabled on their GitHub account.
• Devices that store authenticator tokens must have full-disk encryption (or equivalent) activated.
• New members must have made at least 5 commits over a minimum span of 2 weeks.
• Security policies like these may not be modified without my permission or knowledge.

Looking for additional points to add, so please drop some comments if you can :). Feel free to talk about general security as well and how we can ensure Picocrypt remains secure and trusted.

[1z5q]

Hi, Evan!
Тaking advantage of the opportunity of this "new" start....
I just wanted to say HUGE THANK YOU❤️! For all your tremendous work you've done. I'm with you and PicoCrypt from the beginning of your journey. I mean from the very first version. And today I am really proud to be the first "star giver" and the very first "watcher" aka subscriber of this fresh start in the new repository😃😃.

Evan, I wish you all the best from the bottom of my heart🙏. And great luck in your studies at the University of Toronto. I am sure that such an intelligent and hardworking person will definitely succeed. However if and when there will be any problems, we, as Pico's community, will definitely help you!!

Sincerely, 1z5q 🙂.

[HACKERALERT]

Picocrypt has served me well actually, it's often what gets me through job interviews and helps me receive job offers! So I'm really glad that it's a win-win situation. Times are different now though, and I'm glad to be able to open things up to everyone for contributing. So long as we set the security standards right, I think Picocrypt can easily live on without me. Of course, I'm not going anywhere, I'll still be here setting up policies and available to be pinged, etc. but it's nice to know that my little project is no longer dependant on me :)

[njhuffman]

For the multiple reviewers, something to make sure to consider is the area(s) of expertise of the reviewers. For instance, I'm well qualified to review and contribute to general coding structures and interfaces, but not to catch subtle encryption vulnerabilities. So there might be limits on which parts of a change different people can effectively review.

[HACKERALERT]

I agree, although I think one of the big issues right now is how to have a "self-sustaining" set of members. We need more than one reviewer for sure, and there's no doubt that people come and go, so we might get a situation where PRs can't be merged because no one is qualified to review it. At the same time, we can't just let members push code without some degree of approval.

Ideally members would be able to invite other members once three existing members agree or something like that... but members can't invite other people to be members first of all (only owners can do that and I don't want to give that permission unless absolutely necessary) and there's no "voting" system on GitHub for accepting new members afaik. There must be some way to make it work, given how all large open source projects have some sort of system for this.

[njhuffman]

Yeah I'm not really worried about it, just musing.