On Thu, Jun 11, 2009 at 6:11 AM, Shadow <shadow.fusion.m...@gmail.com>wrote:
> > Hi guys, > > I'm about to launch a non-profit django website, and was thinking I > might as well open source the code as well. > > I noticed this has been done with djangoproject.com, but was thinking > how potentially dangerous it is, that any flaws are open to see and be > exploited. > > Is it just a matter of hoping good guys find the flaws before the bad > ones? :P > > Any thoughts? > Thanks for thinking about Open Sourcing your projects.It really helps out the community to see full projects out there in the wild. As for security, if there is an exploit in your code, it exists whether or not your code is open sourced or not. While you run the risk of the bad guys seeing the exploits directly, instead of needing to reverse engineer anything, you will have considerably more eyes on the code, which means bugs will be filed and, in general, the community is very helpful. A few things I can think of if you are going to open source your entire Web Site: Don't place your settings.py file in the project, as your database information, secret key and other information will be in that file. Remember to extract any API keys or passwords that you might have hard coded in your views or other code. Run the CSRF middleware; 90% of exploits that I have found/committed into code since starting to using Django came in the form of CSRF. While the middleware is a little strict and not prefect, it can cut down on some of your risk. A full test suite will help to make sure that your application does exactly as documented (don't forget to document) this will help make sure that you don't have random tangents that might lead to exploits. Another extremely helpful thing that can help out the community without needing to release the entire codebase, is to write your apps with reuseable code and release several reusable apps. There are lots of examples out there for reusable apps. I hope that helps, Michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
