stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Refactor code structure and optimize performance across multiple modules

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 20:03:22 +02:00
parent c786faae84
commit b4fc66feb6
3353 changed files with 88254 additions and 1590657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/security/rootpack_ru_crypto_fork.md
View File

@@ -2,13 +2,13 @@
## Why
- We need a patchable, source-controlled CryptoPro/GOST stack to ship RootPack_RU without relying on the vulnerable `IT.GostCryptography` 6.0.0.1 package.
- The fork lives at `third_party/forks/AlexMAS.GostCryptography` and is now wired into `StellaOps.Cryptography.Plugin.CryptoPro`.
- The fork lives at `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography` (co-located with the plugin that uses it).
## Fork specifics
- Upstream: https://github.com/AlexMAS/GostCryptography @ commit `31413f6`.
- Retargeted to `net10.0`; packaging-on-build disabled to avoid accidental nuget pushes.
- Added deps: `System.Security.Cryptography.Xml` 8.0.1, `System.Security.Permissions` 8.0.0, warning suppressions (CA1416, SYSLIB0004) for Windows-only CSP APIs.
- Build entrypoint: `third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj`.
- Build entrypoint: `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj`.
## How we consume it
- `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro` now project-references the fork (removed `IT.GostCryptography` nuget).
@@ -16,12 +16,12 @@
- Tests are opt-in and Windows/CSP only: set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and run `scripts/crypto/run-cryptopro-tests.ps1`.
## How to sync the fork
- Track the pinned upstream commit in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` (currently `31413f6`).
- Track the pinned upstream commit in `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/STELLA_NOTES.md` (currently `31413f6`).
- To refresh:
1. `git clone https://github.com/AlexMAS/GostCryptography.git /tmp/gost && cd /tmp/gost && git checkout <commit-or-tag>`
2. `rsync -a --delete --exclude .git /tmp/gost/ third_party/forks/AlexMAS.GostCryptography/`
2. `rsync -a --delete --exclude .git /tmp/gost/ src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/`
3. Update `STELLA_NOTES.md` with the new commit hash and any upstream changes that matter for CSP/Magma/Kuznyechik.
4. Run `dotnet build third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release` plus `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` to confirm the fork still compiles inside the monorepo.
4. Run `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release` plus `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` to confirm the fork still compiles inside the monorepo.
- Keep the folder free of binary outputs (no `.nupkg` or `bin/obj` committed) so RootPack stays reproducible.
## Build & test quickstart (Windows runner with CryptoPro CSP installed)

6
docs/security/rootpack_ru_package.md
View File

@@ -3,7 +3,7 @@
This guide describes the reproducible process for assembling the sovereign cryptography bundle that backs RootPack_RU deployments.
## 0. Fork provenance & licensing checklist
- Confirm the vendored fork commit recorded in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` matches `git -C third_party/forks/AlexMAS.GostCryptography rev-parse HEAD` before you package.
- Confirm the vendored fork commit recorded in `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/STELLA_NOTES.md` matches `git -C src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography rev-parse HEAD` before you package.
- Copy the fork's `LICENSE` (MIT) and `STELLA_NOTES.md` into the bundle `docs/` directory so downstream operators see the source provenance; keep the plug-ins themselves under AGPL-3.0-or-later.
- Do not publish the fork to NuGet; all builds must use the vendored sources shipped inside the bundle.
@@ -37,8 +37,8 @@ The script performs the following steps:
After the script finishes, drop the fork metadata into `docs/` inside the bundle:
```bash
cp third_party/forks/AlexMAS.GostCryptography/LICENSE "${OUTPUT_ROOT}/docs/LICENSE.gostcryptography"
cp third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md "${OUTPUT_ROOT}/docs/STELLA_NOTES.gostcryptography.md"
cp src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/LICENSE "${OUTPUT_ROOT}/docs/LICENSE.gostcryptography"
cp src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/third_party/AlexMAS.GostCryptography/STELLA_NOTES.md "${OUTPUT_ROOT}/docs/STELLA_NOTES.gostcryptography.md"
```
> **Temporary quarantine (2025-11-09).** To keep day-to-day builds free of the vulnerable GostCryptography dependency, the repository disables the CryptoPro plug-in unless you pass `-p:StellaOpsEnableCryptoPro=true`. RootPack packaging still works because this script publishes the plug-in directly, but any host/service build that needs CryptoPro must opt in with that MSBuild property until the patched package lands.