On Sat, Dec 21, 2019 at 12:51 PM Adam Johnson <[email protected]> wrote: > I just saw Google is expanding their Patch Rewards program for open source > security improvements: > https://security.googleblog.com/2019/12/announcing-updates-to-our-patch-rewards.html > > They are offering two tiers of rewards - $5,000 or $30,000 - for open > source projects making security improvements. I think Django would find it > hard to fit in the "small" tier - we generally fix known vulnerabilities > quickly - but we could use the "large" tier to fund a bigger GSoC style > project. I suspect it would need active involvement from a DSF member to > push it through. Not sure how the funding would work in terms of DSF and > paying for development time on the project. > > Some projects that could fit: > > - 2FA built-in to django.contrib.auth (as suggested for GSoC as well > in this thread: > > https://groups.google.com/forum/#!msg/django-developers/ifYT6lX8nmg/1nVO3As1AwAJ > ) > - Adding CSP to SecurityMiddleware and shipping some default > (django-csp is a good start but requires users to actively seek it: > https://django-csp.readthedocs.io/en/latest/ ) > - Adding CORS to Django itself (I'm maintaining django-cors-headers, > but its design is a bit pants > https://github.com/adamchainz/django-cors-headers ) > - Other things in James Bennett's list of suggestions from this thread > in May 2018: > > https://groups.google.com/forum/#!msg/django-developers/DDpkrvFdnvk/J46ZbakxAgAJ > > Thoughts? >
Sounds great, CSP (being the base for or including subresource integrity) and improved system security checks seems to fit very well the "a significant new security feature" category (thinking in 2FA for GSoC) > -- > Adam > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAMyDDM0MV-XLf8VV7ux%3DgY6J3pDhGAGrosG9gATNyRXZoRcZfw%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAMyDDM0MV-XLf8VV7ux%3DgY6J3pDhGAGrosG9gATNyRXZoRcZfw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CA%2BFDnhKLozkUJ3r9pjuuJcvbB8%2B4LmsLafYQmROwoZeXFvoF0w%40mail.gmail.com.
