DEV Community

Daniel Thompson-Yvetot for Tauri

Posted on


  • Security Audit Begins
  • Code Freeze In Place
  • next Branch in Progress

At a certain point in the lifecycle of software, you have to just stop and smell the roses. Or in this case, hunt for code smell. And that is what the Tauri team is doing. We will no longer be accepting any feature requests for the forthcoming 1.0 and only accepting bug reports. All new features will then be addressed in the next branch.

Why would we do this, you might be asking yourself. Well, before we can declare Tauri safe to use, we need to put it through the proverbial ringer - and gain confidence that it is not only architected properly, but also that common attack vectors are mitigated against and boundaries are protected.

After you've been spending years in the forest of your project, it is obvious that you might not see all the trees - or even its place in the greater ecosystem.

To this end, we are pleased to announce that the Tauri Programme within the Commons Conservancy has teamed up with the non-profit group of penetration testing experts at Radically Open Security to help us gain not only deeper insight into the entire project, but also acquire the confidence we need to recommend using Tauri in production.

The Audit consists of both a horizontal and vertical investigation. The horizontal audit will look into all of the crates and libraries that compose Tauri, as well as its tooling and pipelines. The vertical audit will investigate an example application (our examples/api app) on all three platforms to verify that it is safe to use and our security posture is both appropriate and safe.

At the conclusion of the audit, we will publish the findings and lock our 1.0 release to maintenance such as dependency updates and urgent fixes in case bugs are found. As mentioned above, all further work on new features like mobile and additional API's will be undertaken in the @next branch which will graduate to 2.0 upon its completed audit.

One last word of caution: Security audits are a regular practice of due diligence and they are not guarantees that everything is safe. Your app's security will have as much (if not more) to do with your coding practices than with Tauri's underlying security. If you are doing anything with private data or using cryptography, you would do well to have your project audited as well.

Disclaimer: It is important to understand the limits of the
Tauri team and Radically Open Security's services. The Tauri
team and Radically Open Security do not (and cannot) give
guarantees that something is secure. It remains the
responsibility of downstream engineers to ensure the 
security of the(ir) projects that use Tauri.
Enter fullscreen mode Exit fullscreen mode


Top comments (0)