linux_patch_manager

git-echo/linux_patch_manager

Private

Public Access

Fork 0

Commit Graph

Author	SHA1	Message	Date
Draco-Lunaris-Echo	8873b2c70c	fix(security): harden enrollment PKI bundle retrieval (#12 ) - Add single-retrieval semantics: approved PKI bundles are atomically removed from the in-memory cache on first retrieval via DashMap::remove(), preventing concurrent requests from obtaining the private key - Add TTL expiry: ApprovedEntry wraps PkiBundle with approved_at and ttl fields; bundles expire after ENROLLMENT_BUNDLE_TTL_SECS (600s / 10 min) - Replace brute-force clear() purge with TTL-based retain() in background task, running every 60s instead of every 600s - Audit tracing calls: confirm no raw polling token is logged; add security comment documenting this policy - Document CSR-based enrollment as future enhancement in both enrollment.rs and SECURITY.md, explaining why server-generated keys are used currently	2026-06-02 15:16:44 -05:00
Draco Lunaris	0f0a534f25	docs: add CONTRIBUTING.md and SECURITY.md for open source Some checks failed CI Pipeline / Rust Format Check (push) Successful in 6s CI Pipeline / Clippy Lints (push) Successful in 53s CI Pipeline / Rust Unit Tests (push) Failing after 1m11s CI Pipeline / Security Audit (push) Successful in 4s CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s CI Pipeline / Build .deb & Release (push) Has been skipped	2026-05-31 00:12:14 -05:00

Author

SHA1

Message

Date

Draco-Lunaris-Echo

8873b2c70c

fix(security): harden enrollment PKI bundle retrieval (#12 )

- Add single-retrieval semantics: approved PKI bundles are atomically
  removed from the in-memory cache on first retrieval via DashMap::remove(),
  preventing concurrent requests from obtaining the private key
- Add TTL expiry: ApprovedEntry wraps PkiBundle with approved_at and ttl
  fields; bundles expire after ENROLLMENT_BUNDLE_TTL_SECS (600s / 10 min)
- Replace brute-force clear() purge with TTL-based retain() in background
  task, running every 60s instead of every 600s
- Audit tracing calls: confirm no raw polling token is logged; add security
  comment documenting this policy
- Document CSR-based enrollment as future enhancement in both enrollment.rs
  and SECURITY.md, explaining why server-generated keys are used currently

2026-06-02 15:16:44 -05:00

Draco Lunaris

0f0a534f25

docs: add CONTRIBUTING.md and SECURITY.md for open source

CI Pipeline / Rust Format Check (push) Successful in 6s

CI Pipeline / Clippy Lints (push) Successful in 53s

CI Pipeline / Rust Unit Tests (push) Failing after 1m11s

CI Pipeline / Security Audit (push) Successful in 4s

CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s

CI Pipeline / Build .deb & Release (push) Has been skipped

2026-05-31 00:12:14 -05:00

2 Commits