profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/Mordil/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Nathan Harris Mordil Seattle, WA https://mordil.info iOS & Server Swift | SSWG Contributor

vapor/redis 437

Vapor provider for RediStack

SwiftPackageIndex/SwiftPackageIndex-Server 262

The Swift Package Index is the place to find Swift packages!

peek-travel/swift-currency 76

Type-safety and algorithms for working with money in Swift.

Mordil/RediStack 53

Non-blocking, event-driven Swift client for Redis.

vapor/redis-kit 8

Helpful extensions and abstractions for using RediStack

Mordil/UAT-GAM205 1

An arcade tank shooting game built with Unity 3D.

L4Digital/analytics-ios-integration-localytics 0

The Localytics analytics-ios integration.

L4Digital/flurry-ios-sdk 0

Flurry iOS SDK CocoaPods

Mordil/PackageList 0

The master list of repositories for the Swift Package Index.

Mordil/redis-doc 0

Redis documentation source code for markdown and metadata files, conversion scripts, and so forth

release vapor/vapor

4.47.0

released time in 4 days

delete branch swift-server/sswg

delete branch : jw-sec-version-bump

delete time in 18 days

push eventswift-server/sswg

Johannes Weiss

commit sha a7588d69cde347905be80a42a239eafda53d204d

bump process version for updated security process (#55)

view details

push time in 18 days

PR opened swift-server/sswg

Reviewers
bump process version for updated security process
+1 -1

0 comment

1 changed file

pr created time in 18 days

create barnchswift-server/sswg

branch : jw-sec-version-bump

created branch time in 18 days

push eventswift-server/sswg

Johannes Weiss

commit sha 744257adb0634205ed0cbcca1bcc7f0c60b881e8

new link for package index

view details

push time in 19 days

push eventswift-server/sswg

Johannes Weiss

commit sha 631c7603662b12b785025f37a6ca374086da3afc

new security guidelines & info (#54) Co-authored-by: Cory Benfield <lukasa@apple.com> Co-authored-by: Gwynne Raskind <gwynne@darkrainfall.org> Co-authored-by: Kaitlin Mahar <kaitlinmahar@gmail.com> Co-authored-by: tomer doron <tomer@apple.com>

view details

push time in 19 days

PR merged swift-server/sswg

new security guidelines & info

First shot at the new security guidelines.

+69 -9

4 comments

6 changed files

weissi

pr closed time in 19 days

startedMordil/RediStack

started time in 22 days

startedMordil/RediStack

started time in 24 days

issue commentMordil/RediStack

about the dependency url

@Mordil OK, I have addressed this problem according to your method ! thanks 😊

micezhao

comment created time in a month

issue commentMordil/RediStack

about the dependency url

ok~ the following picture is my content 截屏2021-05-19 09 44 46

micezhao

comment created time in a month

issue commentMordil/RediStack

about the dependency url

@micezhao The RediStack package is hosted on Gitlab as that's where the development is done - this repo is just a mirror. Can you clone the package directly from Gitlab?

No! I have tried several times by fetching this dependency directly.Whereas, The complier did not resolved the package info correctly. Actually , even if the dependency can be fetched with url in GitHub and resolved normally in Xcode.However , I still have no idea of how use this in vapor , not like in Java with Spring-Framework.

截屏2021-05-19 06 03 24

micezhao

comment created time in a month

issue commentMordil/RediStack

about the dependency url

@micezhao The RediStack package is hosted on Gitlab as that's where the development is done - this repo is just a mirror. Can you clone the package directly from Gitlab?

micezhao

comment created time in a month

issue openedMordil/RediStack

about the dependency url

Today's afternoon, I tried to integrate the Redis to vapor 4 (my swift version is 5.4)

according to this doc , I copied the url ( .package(url: "https://gitlab.com/mordil/RediStack.git", .branch("master"))) to my Package.swift

but the complier reported an unwanted problem, it indicated :" https://gitlab.com/Mordil/RediStack: An unknown error occurred. unexpected return value from ssl handshake -9806 (-1)"

Meanwhile, I found another reference on vapor's doc (https://docs.vapor.codes/4.0/redis/overview/). Unfortunately, it was also unable to be fixed.

Finally, I attempted to substitute the "gitlab" by "github", then the dependency package can be install on my app

To be honesty, I had spent more to an hour to address this issue. so , would you mind to change the url into the right way ?

created time in a month

MemberEvent

Pull request review commentswift-server/sswg

new security guidelines & info

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.++Project authors are also encouraged to make use of their source control system security features (for example: [GitHub's "Security Advisories"](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) and [GitLab's "Confidential Issues"](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html)) to manage the vulnerabilities and inform their users.

I agree with this. There are multiple reasons why a repository/company may want to see alternative mechanisms; we shouldn't be as strong as SHOULD unless we can clearly articulate why alternative mechanisms would not be sufficient.

That said, we could add language around here to require that it must be easy for someone looking at a package to see its security advisories. This is obviously easier when using the source control system security features but doesn't rule out alternative mechanisms.

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can immediately find information on how to report it. As the package author, you know best where to put important information about your software. In general, it is typically the `README.md` file in the root of your repository on GitHub/GitLab/etc. The phrase "main information page" is used elsewhere in this document to refer to the `README.md` or other resource as appropriate for your project.++The key requirements are:

good idea, done!

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages incubated by the SSWG and listed on the package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are incubated by the SSWG and are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can quickly find information on how to report it. As the package author, you know best where to put important information about your software. Bear in mind that many of your users will see your repository's readme file (usually `README.md`) first. So make sure to link to your security policy from there.++A file named `SECURITY.md` in the root of your repository is the recommended place to put your full security policy. It is also worth noting that some vendors (like GitHub) automatically discover and promote `SECURITY.md` which make the relevant information even easier to find for your users.

CC @swift-server/sswg / @glbrntt I reworded this to recommend SECURITY.md.

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can immediately find information on how to report it. As the package author, you know best where to put important information about your software. In general, it is typically the `README.md` file in the root of your repository on GitHub/GitLab/etc. The phrase "main information page" is used elsewhere in this document to refer to the `README.md` or other resource as appropriate for your project.

@swift-server/sswg / @glbrntt Thanks George, that's a great idea. I reworded it and now recommend SECURITY.md as the recommended place for the security policy (and point out that Github has special support).

WDYT?

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.++Project authors are also encouraged to make use of their source control system security features (for example: [GitHub's "Security Advisories"](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) and [GitLab's "Confidential Issues"](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html)) to manage the vulnerabilities and inform their users.

@gwynne My thought here was that some projects may prefer to use other vulnerability management & notification systems. So I thought it's enough to "encourage" them to use the built-in ones in Github/Gitlab but if they have something else that works, that's cool too. To me the important part was that each project does have a process and defines it. WDYT?

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+# Security++Security is at the heart of a healthy and dependable software ecosystem, and therefore also at the heart of the SSWG. The documents linked from this page are intended to provide clear and simple guidance for both users and developers of packages listed in the SSWG's package index.++## Available information++The information we have is split into different scenarios, depending on why you are here. Each piece of information is supposed to be self-contained, so please select the most appropriate one. If the reason you are here is not covered, please get in touch with the [SSWG on the forums](https://forums.swift.org/c/server/serverdev/14). If you're just curious, feel free to read it all at once 😊.

does that work for you?

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+# Security++Security is at the heart of a healthy and dependable software ecosystem, and therefore also at the heart of the SSWG. The documents linked from this page are intended to provide clear and simple guidance for both users and developers of packages listed in the SSWG's package index.++## Available information++The information we have is split into different scenarios, depending on why you are here. Each piece of information is supposed to be self-contained, so please select the most appropriate one. If the reason you are here is not covered, please get in touch with the [SSWG on the forums](https://forums.swift.org/c/server/serverdev/14). If you're just curious, feel free to read it all at once 😊.

Thanks, wasn't a big fan of "use case" here, so reworded it to

The information is split into different scenarios, depending on what brings you here. Each piece of information is supposed to be self-contained, so please select the most appropriate one. If your situation isn't covered, please get in touch with the [SSWG on the forums](https://forums.swift.org/c/server/serverdev/14).
weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

 Changes to the Swift Server Ecosystem index page will be announced by the SSWG u * Include list of adopters for at least the primary repo ideally laid out in an ADOPTERS.md files or logos on the project website * Optionally, have a [Developer Certificate of Origin](https://developercertificate.org) or a [Contributor License Agreement](https://en.wikipedia.org/wiki/Contributor_License_Agreement) -## Security Best Practices+## Security -Project authors that discover, or have been advised of vulnerabilities in their projects must report them to the SSWG within 10d. Graduated projects are expected to address vulnerabilities within 30d. Reports should be sent to the SSWG using [Swift forums](https://forums.swift.org/c/server/security-updates).--Failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.--The SSWG will publicly share a list of vulnerabilities and fixes on [Swift forums](https://forums.swift.org/c/server/security-updates) to inform the Swift Server user community. Members are encouraged to subscribe to notifications and adopt fixes as soon as possible.--Project authors are also encouraged to make use of their source control system security features (for example: Github's "Security Advisories" and Gitlab's "Confidential Issues") to manage the vulnerabilities and inform their users.+Please follow the guidance laid out in the [Security](security.md) document.

it's now security/README.md that way people who like to click around also get it rendered straight away when the go to the security folder.

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

 Changes to the Swift Server Ecosystem index page will be announced by the SSWG u * Include list of adopters for at least the primary repo ideally laid out in an ADOPTERS.md files or logos on the project website * Optionally, have a [Developer Certificate of Origin](https://developercertificate.org) or a [Contributor License Agreement](https://en.wikipedia.org/wiki/Contributor_License_Agreement) -## Security Best Practices+## Security -Project authors that discover, or have been advised of vulnerabilities in their projects must report them to the SSWG within 10d. Graduated projects are expected to address vulnerabilities within 30d. Reports should be sent to the SSWG using [Swift forums](https://forums.swift.org/c/server/security-updates).--Failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.--The SSWG will publicly share a list of vulnerabilities and fixes on [Swift forums](https://forums.swift.org/c/server/security-updates) to inform the Swift Server user community. Members are encouraged to subscribe to notifications and adopt fixes as soon as possible.--Project authors are also encouraged to make use of their source control system security features (for example: Github's "Security Advisories" and Gitlab's "Confidential Issues") to manage the vulnerabilities and inform their users.+Please follow the guidance laid out in the [Security](security.md) document.

thanks @gwynne . I'll move security.md

weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.
Packages that are incubated by the SSWG and are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.
weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).
This information is intended for package authors who have packages incubated by the SSWG and listed on the package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).
weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.
A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact on the ecosystem. SSWG actions will be decided on a case by case basis and require a supermajority vote.
weissi

comment created time in a month

Pull request review commentswift-server/sswg

new security guidelines & info

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.
weissi

comment created time in a month