Assessment: Non-Goals #15
Description
Non-Goals
Non-goals are specifically security-related features that a user may consider to be within scope, but the project has intentionally marked it as out of scope for good reason. These may be responses to questions you’ve already been asked, but also try to anticipate any criticism and questions you might get from users or security auditors.
In the example below, there were a couple items that benefitted from independent explanation, so we put them each under their own subheadings. You may wish to use a list or other formatting to organize yours.
Remember to keep these as detailed as possible, naming the concerns and then thoroughly addressing them.
### Non-Goals
The Privateer project does not maintain packages, instead relying on the greater open source community to maintain each package independently of the main project. Privateer does not attempt to validate the security of plugins that are requested by users.
#### Plugin Validation
The Privateer project does not currently provide validation or assurances of safety for plugins ("Raids") that users choose to execute.
A roadmap candidate is being considered to address this by offering a "--safe" flag to the CLI, which will only execute plugins that are retrieved from an official source. This is currently not a goal due to the large scope of the process: Adding this feature will require (at minimum) an approval process, a list or registry of approved plugins, and automated provenance validation built into the --safe flag.
For the foreseeable future, Privateer will treat all plugins selected by users as fully-trusted entities.
#### Subprocess Command to execute plugins
When Privateer calls the raids as subprocesses, no validation is performed to restrict subprocesses to safe executables. To exploit this, the Privateer executable or respective configuration file must already be compromised by an attacker. In either case, there is no additional opportunity provided to attackers by restricting subprocess commands further.