Add SecureChain for Open Source documentation section#536
Conversation
Adds a new top-level docs section for SecureChain: landing page, JavaScript/Lodash setup guide, repository management page, ecosystem grid component, sidebar entry, and home card. JavaScript ships first; other ecosystems are scaffolded but commented out. https://claude.ai/code/session_01EV89C7mnQRZJAa2D9SDbFH
aknol-tuxcare
left a comment
aknol-tuxcare
left a comment
There was a problem hiding this comment.
Reviewed in full. Overall the structure is right and the per-product Lodash page is in good shape. Two themes I'd push back on before this ships publicly:
- Marketing overclaims that don't match what SecureChain actually delivers. "malware-free" appears in two prominent places (component H2 and the home-page card). We deliver verified, signed, rebuilt artifacts — we don't make a guarantee of malware absence, and that wording will create legal/support exposure. Tighten to "verified, signed" / "verified, signed, rebuilt" to match the per-product intro line on the Lodash page (which I think is the right phrasing).
- Ecosystem list runs ahead of commitments. The home-page card and the component preview both list six ecosystems including Rust. Today only JavaScript ships, Python is on hold, Java is in pipeline, and there is no Rust commitment. Listing Rust in customer-facing copy creates an expectation we can't keep. Trim to JS at launch and a clear roadmap (Python/Java/Go/PHP) that we can actually defend.
A few smaller items in line comments — terminology fix on SBOM/VEX (VEX isn't an SBOM format), CVSS v3.1 vs v4.0, the SLA placeholder, npm _auth vs _authToken, the npm cache clean --force recommendation in the upgrade guide, and one Vue antipattern in the new component.
Also replying to Sofia's earlier question ("are coverage and support policy standard same as ELS?") — the README does copy ELS-for-Libraries verbatim for incident response, support duration, and technical support. That's fine if it's intentional, but I'd state it explicitly in the README rather than have customers diff two pages.
| projects: | ||
| filteredProjects.length > 0 || matchEcosystem | ||
| ? filteredProjects.length > 0 | ||
| ? filteredProjects |
There was a problem hiding this comment.
Mutating reactive state inside computed() is a Vue 3 antipattern (activeTab.value = 0 here triggers a reactivity warning in dev and can cause a re-render loop in edge cases). Move the reset into a watch(filteredData, ...) or watchEffect so the computed remains a pure getter.
|
|
||
| <SecureChainTechnology /> | ||
|
|
||
| <ContactSales text="Need a version not listed? Contact sales@tuxcare.com for more information." /> |
There was a problem hiding this comment.
Sofia asked in Slack whether SecureChain's coverage and support policy are the same as ELS. Looking at this README, the Incident Reporting, Support Duration, and Technical Support sections are copied verbatim from ELS for Libraries — which is the right call for consistency, but it's not stated. Add one sentence here, e.g.:
SecureChain follows the same coverage commitments, incident response, and technical support model as ELS for Libraries unless noted otherwise on a per-package page.
Otherwise customers (and reviewers like me) have to diff two pages to figure out what's the same and what's intentionally different.
There was a problem hiding this comment.
The current README includes the operational sections (Incident Reporting, Support Duration, Technical Support) but doesn't state that "these mirror ELS for Libraries." My hesitation with adding the suggested sentence only on the SecureChain page is consistency: ELS for Runtimes, ELS for Applications, ELS for Libraries and ELS for OS all reuse the same policy text (incident response, support duration, technical support) without explicitly stating it. Singling out SecureChain to say "this mirrors ELS for Libraries" implies the other pages have a different relationship to those policies, which isn't the case.
I'd rather keep SecureChain consistent with how the rest of the docs handle this. If we want the mirroring to be explicit, I'd prefer to do it everywhere — either by adding the disclaimer to each product README, or by promoting the shared sections to a single canonical page that the product pages link to.
|
|
||
| ## Supported Versions | ||
|
|
||
| * **Lodash** 4.17.20 |
There was a problem hiding this comment.
I think we should delete the list. because we'll have ~10k packages.
|
|
||
| ```text | ||
| registry=https://nexus.repo.tuxcare.com/repository/securechain-js/ | ||
| //nexus.repo.tuxcare.com/repository/securechain-js/:_auth=${TOKEN} |
There was a problem hiding this comment.
Two issues with this .npmrc snippet:
_authvs_authToken._authexpects base64(user:password);_authTokenexpects a bearer token. Which one Sales hands the customer determines which field is correct here. If we're issuing Nexus user tokens (the Nexus default for npm),_authToken=NpmToken.<...>is the right field. Verify with the Nexus admin and update.${TOKEN}shell expansion in.npmrcis supported by npm but only at install time and only ifTOKENis exported in the environment. Lots of users miss this. Either:- Spell it out ("export
TOKEN=...in your shell before runningnpm install, or store it in a CI secret"), or - Recommend
npm config set //nexus.repo.tuxcare.com/repository/securechain-js/:_authToken <token>to avoid the env-var indirection entirely.
- Spell it out ("export
If Nexus needs it, also add always-auth=true.
| Remove the lockfile and cached modules so npm fetches Lodash from the SecureChain registry: | ||
|
|
||
| ```text | ||
| rm -rf node_modules package-lock.json && npm cache clean --force |
There was a problem hiding this comment.
npm cache clean --force is heavier than necessary and affects every project on this machine that shares the npm cache. For a fresh install from a different registry, rm -rf node_modules package-lock.json && npm install is sufficient — npm fetches from the configured registry regardless of cache. Suggest dropping --force (and the cache clean entirely on first install).
| Remove the lockfile and cached modules so npm picks up the latest TuxCare-built version from the SecureChain registry: | ||
|
|
||
| ```text | ||
| rm -rf node_modules package-lock.json && npm cache clean --force |
There was a problem hiding this comment.
Same as the install page: npm cache clean --force shouldn't be needed for a normal upgrade. It clears the entire local npm cache (every project), which is rude side-effects for what's a one-package upgrade. Removing node_modules and package-lock.json then npm install is enough — the cache is keyed by URL+integrity hash so SecureChain artifacts won't collide with upstream. Recommend dropping the --force clean from the upgrade flow.
- Drop "malware-free" from component hero and home card; not a claim we make - Drop Rust from ecosystem stub (not on the roadmap) and rephrase card copy to reflect JavaScript at launch with the rest on the roadmap - Drop CVSS version pin so the page tracks v3.1/v4.0 as adopted - Remove "being finalized" SLA warning to avoid shipping it publicly - Correct SBOM bullet: SPDX/CycloneDX for SBOMs, CycloneDX VEX as a separate accompanying document with exploitability status https://claude.ai/code/session_01EV89C7mnQRZJAa2D9SDbFH
3 participants
Adds a new top-level docs section for SecureChain: landing page, JavaScript/Lodash setup guide (a placeholder example), repository management page, ecosystem grid component, sidebar entry, and home card.