Re: Security

[Daniel Shahaf <d.s@daniel.shahaf.name>]

Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> Le lun. 28 déc. 2020 à 00:37, Phil Pennock
> <zsh-workers+phil.pennock@spodhuis.org> a écrit :
> >
> > On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > > Daniel, Phil, would it be possible to advertise for this new list on
> > > the mailing lists page?
> > >
> > >   http://zsh.sourceforge.net/Arc/mlist.html
> >
> > Theoretically done.  I don't know how much caching there is inside
> > SourceForge, but the git repo has been updated and the website content
> > has been rsync'd.
> 
> That's visible for me now. Thank you!
> 
> > > … and maybe set up a security.txt as well?
> > >
> > >   https://securitytxt.org/
> > >
> > > That's not yet a widely recognized standard, but I believe someone
> > > unfamiliar with a project yet familiar with security would start by
> > > looking there if there's is a contact address.
> >
> > This one is not my call to make.  I like the general idea and use it for
> > my own site (which ~nobody cares about) but I'm not going to deploy
> > without other folks mulling it over first.
> 
> That's fair. So, for anyone wondering what this security.txt thing is
> about: it's a single file made available at
> $DOMAIN/.well-known/security.txt, in which some predefined fields can
> / should be filled in, such as an email address to use to report
> security issues. This mostly used to report issues on websites rather
> than in software, but I believe it's a place where people into
> security will look at anyway if they are trying to find a contact
> address (possibly before looking at the website itself). The
> specification is intended to become a standard

Are you sure about this?  The Internet Draft's "Intended status" is
"Informational", as opposed to "Standards track".

> but isn't yet; its ability to become one is also driven by its adoption, of
> course (the usual chicken-and-egg problem).

Cheers,

Daniel