Hi Michael, Thanks for the info, very helpful.
You've convinced me, now I just need to convince the higher authorities :P On Jun 12, 12:24 am, Michael <[email protected]> wrote: > On Thu, Jun 11, 2009 at 6:11 AM, Shadow <[email protected]>wrote: > > > > > Hi guys, > > > I'm about to launch a non-profit django website, and was thinking I > > might as well open source the code as well. > > > I noticed this has been done with djangoproject.com, but was thinking > > how potentially dangerous it is, that any flaws are open to see and be > > exploited. > > > Is it just a matter of hoping good guys find the flaws before the bad > > ones? :P > > > Any thoughts? > > Thanks for thinking about Open Sourcing your projects.It really helps out > the community to see full projects out there in the wild. > > As for security, if there is an exploit in your code, it exists whether or > not your code is open sourced or not. While you run the risk of the bad guys > seeing the exploits directly, instead of needing to reverse engineer > anything, you will have considerably more eyes on the code, which means bugs > will be filed and, in general, the community is very helpful. > > A few things I can think of if you are going to open source your entire Web > Site: Don't place your settings.py file in the project, as your database > information, secret key and other information will be in that file. Remember > to extract any API keys or passwords that you might have hard coded in your > views or other code. Run the CSRF middleware; 90% of exploits that I have > found/committed into code since starting to using Django came in the form of > CSRF. While the middleware is a little strict and not prefect, it can cut > down on some of your risk. A full test suite will help to make sure that > your application does exactly as documented (don't forget to document) this > will help make sure that you don't have random tangents that might lead to > exploits. > > Another extremely helpful thing that can help out the community without > needing to release the entire codebase, is to write your apps with reuseable > code and release several reusable apps. There are lots of examples out there > for reusable apps. > > I hope that helps, > > Michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
