Skip to content

v0.2.5

Choose a tag to compare

View all tags
@jondepalma jondepalma released this 10 Jan 04:00
· 1 commit to main since this release
Immutable release. Only release title and notes can be modified.
v0.2.5
788af74
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release v0.2.5: Repository Governance, OWASP Compliance, and PyO3 Fixes

🎯 Overview

This release enhances repository governance for public launch, adds comprehensive OWASP Password Storage compliance testing, and resolves PyO3 compatibility issues in the CI/CD pipeline.

Release Type: Minor version (backward compatible)
Status: Beta - Independent security audit pending
Python Support: 3.9, 3.10, 3.11, 3.12

✨ What's New

Repository Governance Automation

  • GitHub CODEOWNERS - Automated review request routing for security-critical components
  • Dependabot - Weekly dependency monitoring for Python packages and GitHub Actions
    • Auto-labels PRs with 'dependencies', 'security', 'ci/cd'
    • Groups minor/patch updates to reduce noise
    • Targets dev branch to maintain workflow integrity

OWASP Password Storage Compliance Testing

  • 12 new compliance tests validating PBKDF2-HMAC-SHA256 implementation
  • Tests verify:
    • ✅ 480,000 iterations (55% above OWASP 2021 minimum)
    • ✅ HMAC-SHA256 algorithm (OWASP recommended)
    • ✅ 128-bit salt length (NIST SP 800-132)
    • ✅ Salt randomness and uniqueness
    • ✅ 256-bit output length
    • ✅ Documentation accuracy (CRYPTO_RATIONALE.md, THREAT_MODEL.md)

Enhanced Testing Documentation

  • New comprehensive OWASP compliance testing section in TESTING_GUIDE.md
  • PyO3 testing best practices guide (docs/PYO3_TESTING_BEST_PRACTICES.md)
  • Updated test counts: 236 → 248 tests (+5% increase)

🐛 Bug Fixes

CI/CD Pipeline (PyO3 Compatibility)

  • Fixed PyO3 reinitialization errors in OWASP compliance tests
  • Split test suite into separate GitHub Actions jobs:
    • Main test job: All tests except OWASP compliance
    • Isolated OWASP job: Prevents cross-module PyO3 conflicts
  • Both jobs run on Python 3.9-3.12 matrix
  • Long-term fix planned for v0.3.0 (comprehensive test refactoring)

Documentation Accuracy

  • Corrected PBKDF2 iteration count in CRYPTO_RATIONALE.md and THREAT_MODEL.md
    • Documentation previously claimed 600,000 iterations (aspirational)
    • Actual implementation: 480,000 iterations (since v0.1.5)
    • No code changes - documentation-only correction
  • Fixed release script CHANGELOG duplication bug
    • Script now checks if version exists before inserting
    • Re-running no longer creates duplicate headers

📊 Test Suite Summary

Total Tests: 248 (+12 from v0.2.4)
Results: 245 passed, 3 skipped
Coverage: 95.7% overall (100% on security-critical code)
Execution Time: ~12 seconds

Test Categories:

  • Compliance: 18 tests (W3C DID, RFC 7515/7519)
  • Core: 37 tests (Identity, DID resolution, JWK/PEM)
  • Fuzzing: 32 tests (Attack scenarios, DoS prevention)
  • Integration: 5 tests (Authlib interoperability)
  • JWS: 63 tests (Token creation, verification, TTL)
  • Keystore: 49 tests (Memory, Env, File backends)
  • OWASP Compliance: 12 tests ⭐ NEW
  • Security: 32 tests (Error sanitization, input validation)

🔒 Security Enhancements

OWASP Compliance Status

  • Current: 480,000 PBKDF2 iterations
  • OWASP 2021 Minimum: 310,000 iterations ✅ Exceeds by 55%
  • OWASP 2023 Recommendation: 600,000 iterations (~80% compliant)
  • v1.0.0 Upgrade Plan: Increase to 600,000 with backward compatibility

Enhanced Security Documentation

  • Updated .github/SECURITY.md with password requirements section
  • Strong password guidance (20+ characters mandatory)
  • GPU crack time analysis for various password strengths
  • Documented upgrade path to full OWASP 2023 compliance

Supply Chain Security

  • Dependabot reduces dependency attack surface
  • Automated weekly vulnerability scanning
  • CI/CD security-scan job validates all dependencies

📝 Documentation Updates

New Documentation

  • docs/PYO3_TESTING_BEST_PRACTICES.md - Comprehensive PyO3 testing guide (272 lines)
  • .github/CODEOWNERS - Code ownership definitions
  • .github/dependabot.yml - Dependency monitoring configuration

Updated Documentation

  • docs/TESTING_GUIDE.md - Added OWASP compliance section, updated test counts
  • .github/SECURITY.md - Added password requirements and compliance status
  • README.md - Updated test coverage table to v0.2.5
  • docs/CRYPTO_RATIONALE.md - Corrected iteration count (600k → 480k)
  • docs/THREAT_MODEL.md - Corrected iteration count (600k → 480k)

Removed Documentation

  • docs/SETUP_LOCAL.md - Moved to internal docs (package now on PyPI)

🔧 Breaking Changes

None. This release is fully backward compatible with v0.2.4.

📦 Installation

pip install --upgrade didlite

Verify installation:

import didlite
print(didlite.__version__)  # Should print: 0.2.5

🔗 Resources

🙏 Acknowledgments

Special thanks to the OWASP Foundation for the Password Storage Cheat Sheet guidance and to the Python cryptography community for PyO3 compatibility best practices.

⚠️ Beta Status Reminder

This library has not undergone an independent security audit. While comprehensive internal security hardening has been completed with 23+ documented security fixes, we recommend against production use until an external audit is complete.

Use at your own risk. Report vulnerabilities to: security@didlite.io

🚀 What's Next

v0.3.0 Preview:

  • Comprehensive test refactoring (module-scoped fixtures for all FileKeyStore tests)
  • Enhanced fuzzing coverage
  • Performance benchmarks update
  • Preparation for v1.0.0 security audit

See docs/FUTURE_UPGRADES.md for the full roadmap.

🤖 Generated with Claude Code

Assets 3
Loading