Skip to content

Security

-> As Open Source developers, user integrity and security is about being professional.

This page talks about the measures I take to mitigate risks, and how to report them.

Commits

All commits are signed with my main SSH Key created in Q3 2024, well-kept and with a strong password, alongside my GitHub account having Vigilant Mode enabled.

Releases

All projects uses native release channels mechanisms for reproducibility and least privilege:

  • Python: Uses PyPI Trusted Publishers in GitHub Actions workflows. Account has 2FA enabled, ephemeral 7 days tokens are used for creating new packages (once).
  • Rust: Uses crates.io Trusted Publishing in GitHub Actions workflows. Account login via GitHub, also with 2FA enabled, and ephemeral tokens for new crates (once).

Repositories have Immutable Releases enabled, so bound tags and assets cannot be replaced or renamed after creation, only deleted - community packages are welcome to source from it.