diff options
| -rw-r--r-- | CODE_OF_CONDUCT.md | 45 | ||||
| -rw-r--r-- | Cargo.lock | 4 | ||||
| -rw-r--r-- | Cargo.toml | 2 | ||||
| -rw-r--r-- | README.md | 66 | ||||
| -rw-r--r-- | SECURITY.md | 57 |
5 files changed, 169 insertions, 5 deletions
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..63e8058 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,45 @@ +# Code of Conduct + +## Our Pledge + +We as members, contributors, and maintainers pledge to make participation in +the tesseras project a welcoming experience for everyone, regardless of age, +body size, disability, ethnicity, gender identity and expression, level of +experience, nationality, personal appearance, race, religion, or sexual +identity and orientation. + +## Our Standards + +Examples of behavior that contributes to a positive environment: + +- Using welcoming and inclusive language +- Being respectful of differing viewpoints and experiences +- Gracefully accepting constructive criticism +- Focusing on what is best for the project and community +- Showing empathy towards other community members + +Examples of unacceptable behavior: + +- Trolling, insulting or derogatory comments, and personal attacks +- Public or private harassment +- Publishing others' private information without explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Scope + +This Code of Conduct applies within all project spaces (issue trackers, mailing +lists, chat channels, code review) and when an individual is representing the +project in public spaces. + +## Enforcement + +Instances of unacceptable behavior may be reported by contacting the project +maintainer at **murilo@ijanc.org**. All complaints will be reviewed and +investigated and will result in a response deemed necessary and appropriate to +the circumstances. + +## Attribution + +This Code of Conduct is adapted from the +[Contributor Covenant](https://www.contributor-covenant.org), version 2.1. @@ -546,9 +546,9 @@ dependencies = [ [[package]] name = "tesseras-dht" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "791adbfbbca157a854cf8721b466f4fb9b6f818548fa50eea6e3bb33b1e59d1c" +checksum = "be972dbc85e9a63018117cb3b71cc9d9c094cde5222771c8d3ec8e36e506714c" dependencies = [ "ed25519-dalek", "log", @@ -24,4 +24,4 @@ env_logger = "=0.11.10" log = "=0.4.29" # tesseras -tesseras-dht = "=0.1.0" +tesseras-dht = "=0.1.1" @@ -1,5 +1,67 @@ -# tesseras-paste +# Tesseras-Paste + +A decentralized pastebin built on [tesseras-dht](https://crates.io/crates/tesseras-dht). Pastes are encrypted client-side, distributed across the DHT, and served over HTTP. + +## Features + +- End-to-end encrypted pastes (XChaCha20-Poly1305) +- Decentralized storage via Kademlia DHT +- NAT traversal (hole-punching and proxy relay) +- HTTP serving with content-key URLs +- TTL-based expiry and pinning +- Public (unencrypted) paste mode +- OpenBSD `pledge(2)` sandboxing + +## Binaries + +**tpd** — daemon that runs a DHT node, stores pastes, and serves HTTP. + +``` +usage: tpd [-p port] [-d dir] [-s sock] [-w http_port] [-g] [-n] [-b host:port] + + -p port UDP port (0 = random) + -d dir data directory + -s sock Unix socket path + -w port HTTP server port + -g global NAT (public server) + -n no auto-bootstrap (skip DNS SRV) + -b host:port bootstrap peer (repeatable) +``` + +**tp** — CLI client that talks to the daemon over a Unix socket. + +``` +usage: tp [-s sock] <command> [args] + + put [-t ttl] [-p] read stdin, store paste (-p = public, no encryption) + get <key> retrieve paste to stdout + del <key> delete paste + pin <key> pin (never expires) + unpin <key> unpin + status show daemon status +``` + +## Quick start + +```sh +# Start the daemon +tpd -p 4433 -w 9999 -d /var/tesseras-paste + +# Store a paste +echo "hello" | tp put +# => Ey2rNiNukhNpqUouaSnnZwTtCgeCgMx2FrCuMr3whBxx + +# Retrieve it +tp get Ey2rNiNukhNpqUouaSnnZwTtCgeCgMx2FrCuMr3whBxx +``` + +## Links + +- [Website](https://tesseras.net) +- [Source code](https://got.tesseras.net/?action=summary&path=tesseras-paste.git) (primary) +- [Source hut mirror](https://git.sr.ht/~ijanc/tesseras-paste) +- [GitHub mirror](https://github.com/ijanc/tesseras-paste) ## License -ISC +ISC — see [LICENSE](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..2c4736f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,57 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a security vulnerability in Tesseras, please report it +responsibly through the private security mailing list: + +**[~ijanc/tesseras-security@lists.sr.ht](mailto:~ijanc/tesseras-security@lists.sr.ht)** + +This list is restricted to maintainers. Reports are welcome from anyone. + +### Encrypting your report + +Please encrypt sensitive reports using the maintainer's GPG key: + +- **Key ID:** `882CF78D7F04E7F4` +- **Fingerprint:** `9C16 D725 0B23 6C1C C21A 46AB 882C F78D 7F04 E7F4` +- **Key server:** `keys.openpgp.org` + +``` +gpg --keyserver keys.openpgp.org --recv-keys 9C16D7250B236C1CC21A46AB882CF78D7F04E7F4 +``` + +### What to include + +- Description of the vulnerability +- Steps to reproduce +- Affected components (crate, module, function) +- Potential impact +- Suggested fix, if any + +### What to expect + +- Acknowledgment within 48 hours +- Status update within 7 days +- Coordinated disclosure after a fix is available + +### Please do NOT + +- Open a public issue or pull request for security vulnerabilities +- Disclose the vulnerability publicly before a fix is available +- Exploit the vulnerability against other users' nodes or data + +## Scope + +The following are in scope for security reports: + +- Cryptographic issues (key generation, signing, encryption, erasure coding) +- Network protocol vulnerabilities (DHT, QUIC transport, relay) +- Authentication and authorization bypasses +- Data integrity or confidentiality violations +- Denial of service against individual nodes + +## Recognition + +Contributors who report valid vulnerabilities will be credited in the +release notes (unless they prefer to remain anonymous). |