Day 18 Monorepo and Security

What I did: Setting up the mono repo + importing library

Total time: 54.200

Comments:

I got a MR accepted https://github.com/antontutoveanu/crystals-kyber-javascript!!! This feels so good even though it's a tiny change.

The reason that I'm going with a monorepo is to avoid as much software security chain violations. We've seen bad code get injected via a 3rd party dependency. By moving the most critical third party dependency as shared libraries directly managed and controlled within the repo, we remove an important attack vector, while opening ourselves up to a different kind of attack vector (not getting the patches we need because automatic updates aren't pulled).

However given the importance of security and the fact that the crypto libraries we're using have been formally checked or will be in the near future, we surmise the improved control over key crypto aspects will more than makeup for the hassle of having to manually manage and update the components.

I looked at four tools:

Bazel - Pass. Designed to run with multiple languages and such, configuration looks complicated and does more than I need it to do.

Nx - Interested, going to keep looking at others. Like that it has a dependency graph, a way to explicitly show what depends on what, which encourages looser coupling and discarding of old code that isn't needed.

rushjs - Backed by Microsoft, like how it's fully deterministic. Seems to be missing the testing hook but that's not part of the build process??? Whereas Nx does and since testing is important, I want the tools to reflect that. So pass.

Lerna - Pass. Doesn't have testing support.

Alright choose Nx, now need to remember to in the future add in a utlity that runs and tells us if any of our locally maintained security libraries have an update. For now I'm going to create a subrepo that's docs/security/watchlist.md

Alright good news I got the module setup, now I've got to setup the ssl2client and ss2server projects and figure out how to get them to interact within a test.

Sub project now, I'm importing the key code and setting up a few simple tests to ensure everything works as expected.

Hmm O_o kinda but not what we need. At least we're able to import modules from one package to another and vice vera.

There isn't anyway that I can currently know to track which depedencies go with which project.

Other comments:

In response to comment, absolutely good to be back. I discovered an issue that I couldn't address within SN's current security framework and the nature of the web. TO BE CLEAR, SN is extremely secure. So much that I trust my most intimate secrets and passwords wholeheartedly to SN. The issue was a combination of paranoia and the way that extensions are loaded via the internet. Nothing that SN can do to address it, an inherent flaw with how the internet is designed. So at that point I needed to abandon the effort until a better solution was available. I also found that I was using just a plain text editor and 1 note per password so even I myself was reluctant to use the password manager, never a good sign.