Add a reminder to avoid PRIVATE directory bundling

2025-09-12 07:55:23 +08:00 · 2024-06-05 00:25:34 +02:00 · 2024-06-05 00:25:34 +02:00 · 96bd0a9120
commit 96bd0a9120
parent 2c7a1a1d62
2 changed files with 10 additions and 1 deletions
--- a/PRIVATE/__no_init__.py
+++ b/PRIVATE/__no_init__.py
@ -0,0 +1,5 @@
+#! /usr/bin/env python3
+#  -*- coding: utf-8 -*-
+
+# Placeholder to remind this directory should not become a package
+# In order to avoid bundling it with the main package as wheel / bdist
--- a/SECURITY.md
+++ b/SECURITY.md
@ -56,4 +56,8 @@ When set, an external NTP server is used to get the offset. If offset is high en

 # NPF-SEC-00011: Default AES key obfuscation

-Using obfuscation() symmetric function in order to not store the bare AES key.
+Using obfuscation() symmetric function in order to not store the bare AES key.
+
+# NPF-SEC-00012: Don't add PRIVATE directory to wheel / bdist builds
+
+The PRIVATE directory might contain alternative AES keys and obfuscation functions which should never be bundled for a PyPI release.