From db843891f27f5560421095f48aefbb9756643ff8 Mon Sep 17 00:00:00 2001
From: pennae <github@quasiparticle.net>
Date: Tue, 26 Jul 2022 13:54:56 +0200
Subject: add some extra warning to readme

---
 README.md | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 33052c6..5279994 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,9 @@ to):
  - support tools
  - and others.
 
+**WARNING**: no security audit of this project has been done. it may or may not
+eat or expose your data. use at your own risk.
+
 # requirements
 
  - postgresql 14 or newer
@@ -29,22 +32,27 @@ to):
 minor skulk is built using cargo. rust version 1.61 and newer should work, older
 versions have not been tested.
 
- * compile minor-skulk with `cargo build`.
- * edit `Rocket.toml`, settings values for all the mandatory parameters
-   * for test deployments it's sufficient to use the http server provided by
-     minor-skulk. live deployments **must** use a reverse proxy to add TLS!
+ * compile with `cargo build`
+ * edit `Rocket.toml`, setting values for all the mandatory parameters
+   * for test deployments it's sufficient to use the built-in http server. live
+     deployments **must** use a reverse proxy to add TLS!
  * install [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs)
  * configure syncstorage-rs for a single-node setup as exemplified in
    [this nixos module](https://github.com/NixOS/nixpkgs/pull/176835).
    you will also have to set `tokenserver.fxa_oauth_server_url` as
    noted in `Rocket.toml`, otherwise actual sync will not work.
 
+minor skulk should be run under a dedicated user account that is *not* shared
+with syncstorage-rs. it should definitely *not* be run as root. as previously
+mentioned, deploying this on the internet **must** be done through a TLS proxy
+since minor skulk itself does not handle TLS in any way.
+
 # configuring firefox desktop
 
 go to `about:config` and set `identity.fxaccounts.autoconfig.uri` to
 the address of your server, e.g. `http://localhost:8000` if you're just
 starting minor-skulk locally for testing. if you are not using https you
-must also create a `identity.fxaccounts.allowHttp` settings with value `true`,
+must also create a `identity.fxaccounts.allowHttp` setting with value `true`,
 otherwise firefox will not accept the config. restart firefox for the
 changes to take effect, then create an account or log in as usual.
 
-- 
cgit v1.2.3