Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add links to release notes #797

Merged
merged 1 commit into from
Jun 25, 2020
Merged

add links to release notes #797

merged 1 commit into from
Jun 25, 2020

Conversation

pmboothby
Copy link
Contributor

@pmboothby pmboothby commented Jun 18, 2020

Teslascope copy Tesla's release notes to their website using a URL with the version number in it, so very easy to link to. This addition opens a new browser tab from the Updates table "Installed Version" column to Teslascope's page with the relevant release notes.

Teslascope copy Tesla's release notes to their website using a URL with the version number in it, so very easy to link to.
@baylanger
Copy link
Contributor

For many reasons, teslamate should have its own copy of the release notes.

Relying on a third party web site is by default not secure, specially true for small private companies. A hacker could compromise that web site and putting us all at risk just by clicking on that link.

@adriankumpf
Copy link
Collaborator

While I agree that linking to a third party is not ideal, hosting a copy of the release notes requires constant work to keep them up to date. For a paid service this is not a problem, but for an open source project it is different.

Opening the external release notes reveals URL of your Grafana instance to Teslascope (via the referrer header). That is not any different from clicking a link on any other website but it's definitely not great. On the other hand, this feature is quite useful and a cool idea. So I think it should definitely be merged.

Thanks @pmboothby!

@adriankumpf adriankumpf merged commit c15e3d5 into teslamate-org:master Jun 25, 2020
@corsair
Copy link

corsair commented Jul 5, 2020

Hey all! I saw this pull request was already closed and just made aware of this integration, but wanted to still comment to hopefully help relieve any concerns over security and other matters. First and foremost, however, it is a pleasure to see my project being included in Teslamate as an independent developer. @pmboothby @adriankumpf @baylanger

Teslascope is a very community-focused project and service and I've put a lot of time (and money) into ensuring that it provides the safest possible experience for those who use it whether as a visitor or user. Some of the ways I protect our users is as follows:

  • Constantly monitoring for known CVEs relating to the framework and libraries the service uses (which is purposefully limited) to ensure maintaining and preventing any attack vectors and resolving concerns as they come up.
  • One of the only Tesla-related services to provide 2FA authentication (TOTP) to further protect user data.
  • Taking advantage of services such as Cloudflare's plans for providing an extra level of security (WAF) in addition to logging any "bad actor" requests to analyze further.

Teslascope is also trusted by the Tesla subreddit's moderation team and the only official partner of their Discord server after months of discussions and ensuring we met their requirements for security and overall transparency for their community.

If there are still any concerns over safety/security in regard to any integrations with Teslascope, please feel free to contact me at any time via email!

@pmboothby
Copy link
Contributor Author

Regarding the concern about the referral header when linking externally (e.g. to teslascope), I've been playing with Grafana and it's trivial to add rel="noreferrer" to the link. It seems most modern browsers support this (https://caniuse.com/#search=rel%3D%22noreferrer%22). Should I update the code and submit another pull request?

@adriankumpf
Copy link
Collaborator

I didn't know that! Good idea. I'll look at your PR right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants