Hey @Patrick, I’m curious – what are your thoughts on Discourse after 3 years of use?
- usability: awesome
- stability: good
- antispam: awesome
- security: no opinion
My org is looking at using Discourse, but I saw a huge red flag when skimming their install guide, which included the command:
wget -qO- https://get.docker.com/ | sh
Really bad indeed.
Many if not most popular webapps are similar to that. If you choose to
only use these with best security practices, you’ll be severely limiting
usability, thereby productivity, thereby the overall success.
There would be a command which makes it partially more secure.
curl --remote-name --tlsv1.2 --proto =https --location --remote-name https://get.docker.com/
Could be simplified if someone wanted to help getting
^ After seeing a project say that, I’m tempted to discount any claims that they “take security very seriously” as mere security theater.
I’d very much like to hear the perspective of the security-focused Whonix team on the security (and other aspects) of self-hosting Discourse.
Package manager security, file verification security and other auxiliary
attack vectors such as clock related security issues are not on the
radar of many even security focused projects. For example hardened
gentoo goes serious about enabling security hardening compile flags but
then is sloppy about package manager security.