By

Introducing OpenSunshine: under 200 lines of code to end an argument

In the past, I’ve worked on the problem of dealing with Word Documents, and PDF data being imported on the web. One thing that I’ve learned is that Word Docs are a pain in the fucking ass, and that converting PDF, or at least stripping metadata is a problem that has been solved more or less. So, a few months ago, I started looking at how I would write a secure document submission platform.

The result that I came up with was a simple proof-of-concept called OpenSunshine. OpenSunshine is a tiny Python script written in Flask that does nothing but save a file and encrypts it using an editor’s GPG public key. It’s assumed that the editor would get the encrypted documents off the server, and decrypt them in another location. It’s simple, it’s to the point, and it’s 70 lines of code.

It should be noted that I’ve never used Flask before, and I chose Python because EVERYONE seems to know Python. I could have just as easily wrote this in Javascript to run on node.js, but Python has the GPG bindings, which is a big plus.

Anyway, the code can be found on my github account here: https://github.com/infil00p/OpenSunshine</a>

Please fork it, criticize it, and pick it apart. If it helps you, that’s great. What I do hope to prove is that by releasing code, no matter how buggy and broken it is, it will still be better than sitting on unproven, proprietary code that may not be much more complex than this. So far it only has the ability to remove metadata from PDFs, but I plan to add JPEG EXIF and Word Doc metadata stripping as well, but I would need more advice from people who actually analyze leaked documents as to whether this is a good idea.

Also, if anyone knows a way to get the file contents in memory and encrypt them immediately, please add that. I didn’t remember how to do that when I wrote this. I don’t run this in production because that would be dangerous and foolish, and I think that others shouldn’t run it in production unless they have tested it to their satisfaction, and are familiar with configuring their servers with SSL, Tor, I2P and other technologies. The one thing that a document submission site technically needs more than anything else is a REALLY GOOD systems administrator.

Finally, if you do use my code, I take no responsibility for it. You do it at your own risk. I really wish there was a clause called “Don’t risk people’s lives with my software”, but that would make it not free. Oh well, better to have it open and risk someone trying to use it and have it criticized for sucking than for it to suck in obscurity on my hard drive.