We standarized on using `rustls` as a TLS implementation across the
monorepo, which is written in Rust and has better ergonomics,
integration with the Rust ecosystem, and consistent behavior among
platforms. However, the Labrinth Clickhouse client was the last
remaining exception to this, using the native, OS-provided TLS
implementation, which on Linux is OpenSSL and requires developers and
Docker images to install OpenSSL development packages to build Labrinth,
in addition to introducing an additional runtime dependency to Labrinth.
Let's make the process of building Labrinth slightly simpler by
switching such client to `rustls` as well, which results in finally
using the same TLS implementation for everything, a simplified build and
distribution process, less transitive dependencies, and potentially
smaller binaries (since `rustls` was already being pulled in for, e.g.,
the SMTP client).
* feat: add security.txt
Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on [securitytxt.org](https://securitytxt.org/).
I've set the following values:
- The email to contact with issues, `jai@modrinth.com`. This is the email stated in the security policy. If you wish to not include it here due to spam, you should also not have it as a `mailto` link in the security policy.
- Expiry is set to 2030. By this time Modrinth has become the biggest Minecraft mod distributor, and having expanded into other games. By this time they should also have updated this file.
- English is the preferred language
- The file is located at modrinth.com/.well-known/security.txt
- The security policy is at https://modrinth.com/legal/security
The following values have been left unset:
- PGP key, not sure where this would be located, if there is one
- Acknowledgments. Modrinth does currently not have a site for thanks
- Hiring, as it wants security-related positions
- CSAF, a Common Security Advisory Framework ?
* fix(docs): reduce security.txt expiry
This addresses a concern where the security.txt has a long expiration date. Someone could treat this as "use this until then", which we don't want since it's a long time. The specification recommends no longer than one year, as it is to mark as stale.
From the RFC:
> The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). The value of this field is formatted according to the Internet profiles of [ISO.8601-1] and [ISO.8601-2] as defined in [RFC3339]. It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness.
Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
* fix(frontend): extend security.txt expiry
It takes so long to merge the PR :(
Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
* docs(frontend) careers link in security.txt
Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
---------
Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
Co-authored-by: Erb3 <49862976+Erb3@users.noreply.github.com>
* fix(theseus-gui): fix sort/group by game version
In the Library, game version 1.8.9 is sorted/grouped after 1.20 because
the default sorting sorts 2 < 8
therefore localeCompare(with numeric=true) is needed, it detects 8 < 20
and puts the versions in the correct order.
* lint
---------
Co-authored-by: Prospector <prospectordev@gmail.com>
* feat: only initialize batch renderer if needed & head storage
* feat: support webp storage of skin renders if supported (falls back to png if not)
* fix: performance improvements with cache loading+saving
* fix: mirrored skins + remove cape model for embedded cape
* feat: antialiasing
* fix: leg jumping & store fbx's for reference
* fix: lint issues
* fix: lint issues
* feat: tweaks to radial spotlight
* fix: app nav btn colors
* dist(docker): add `.dockerignore` as symlink to `.gitignore`
This ensures that no files outside of version control are transferred to
the Docker build context for Labrinth and Daedalus images, which
significantly improves build speed (if a `target` directory is already
present) and build reproducibility.
* chore(dist/docker): simplify out unneeeded statements, move `SQLX_OFFLINE` env var setting to build command itself
The latter approach ensures that developers building the image locally
don't forget to set `SQLX_OFFLINE`, too.
* dist(docker): add `curl` package to Labrinth image
* feat(ci): clean up app release build workflow, set app versions to match tag's
* feat(ci): rename Theseus build workflow, add new release workflow
* chore(ci): minor tweaks to `theseus-build` workflow
* chore: update workflow reference in comments
* fix(app): adjust CSP settings for skin manager to work
* tweak: allow current Tauri scheme in CSP
* tweak: remove references to invalid `sunny.png` texture in skin models
These were causing load errors in production app builds.
* tweak: use proper URL imports for skin models
This fixes importing these models in production builds of the app.
* chore(app-frontend): use more proper import style for glTF assets
* tweak: use proper URL imports for skin models in more places
* fix(app): use the same CSP during `tauri dev` as `tauri build`
* chore(app-frontend): make Vite WS CSP policy a bit more strict
* tweak: make Tauri CSP config object readable again
At the cost of some extra code in the Vite config side, but I think it's
worth it.
* chore: fix linter warning in app frontend introduced who knows where else
We need a Git hook to ensure these things aren't pushed only to explode
later on or something.
* Fix wrong email address
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Decouple SMTP auth identity from message sender
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Add new configurations to .env file
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Update mod.rs
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Remove unused import
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Give SMTP_FROM_ADDRESS a default value
Co-authored-by: Alejandro González <7822554+AlexTMjugador@users.noreply.github.com>
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Add the correct host name
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Fix CI failure
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
* Update mod.rs
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
---------
Signed-off-by: Ken <131881470+Keniis0712@users.noreply.github.com>
Co-authored-by: Alejandro González <7822554+AlexTMjugador@users.noreply.github.com>
Co-authored-by: Emma Alexia <emma@modrinth.com>
