Essential Security Practices for DVS Developers

Least Privilege:

Containers should run with the minimum required privileges, which should be specified by the DVS developer team. If not specified, operators should consult the DVS developer team directly.

Security and Maintenance:

• Emit runtime logs, including security events.

• Use minimal base images, such as ko Go containers, to reduce the attack surface.

• Release updated images with security patches regularly.

• Ensure DVS-related ECDSA keys are used only for non-fund-holding updates (e.g., modifying IP and port details in a smart contract).

Container Management:

• Do not store key material on containers; refer to key management documentation.

• User IDs should be formatted as DVS-NAME-random to avoid conflicts with the host.

Image and Software Management:

• DVS developer teams should sign their images for releases and upgrades, with Docker displaying a verified badge for signed images.

• Tag new releases via updated images and ensure clear release notes explaining new features and breaking changes.

• Operators should control their software upgrades, avoiding automated upgrade mechanisms.

Communication:

Establish direct communication channels (e.g., Discord, Telegram) with operators to coordinate upgrades smoothly.