From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 15613 invoked from network); 28 Dec 2020 10:46:38 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 28 Dec 2020 10:46:38 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1609152398;
	 b=w+JpgOiRhWnYNe7625Y4LgNjHOGJ0nAq/uNvkgsezbpz9qN+Jt+vIS1sJEnH4Ci8d5Y2D/Kemq
	  GN21jz63AprFhfOEb+w1ynxk1sP5bC3Adl+E/gobzB+TXPMUpv4CMx2urfuIzZqXzu7swjmkNx
	  0ESWgZ7zuvzamA+O1GAjZYYzqD2oza2w4GCPICIqMfovSEydXgILPcGseQQlyLxFpvgBV5hiLN
	  wZ8rb+VkWB6rmH6L8Zx4zLoBjJV1y+R+RUmgAIiMPRAgA9Pep/yIsoinaOsZI4Lplaun8DgtP/
	  Wif0fkbPbJf/Yi5THXRvngFvwCkqZv7vaUC7WXCDh8PKGg==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (out2-smtp.messagingengine.com) smtp.remote-ip=66.111.4.26;
	dkim=pass header.d=daniel.shahaf.name header.s=fm2 header.a=rsa-sha256;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.a=rsa-sha256;
	dmarc=none header.from=daniel.shahaf.name;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1609152398;
	bh=ScxIRSYC+9HyeU+6T1fDSXnpZbGV5VPhkW/2/XD9cRc=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:In-Reply-To:Content-Transfer-Encoding:Content-Type:
	  MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:DKIM-Signature:
	  DKIM-Signature:DKIM-Signature;
	b=F7Sv3PJVe3KMBZ6zPX866lctiz8ljoAfxXgNR3czBXEMmPCrbPDILr+G2qh9nFTXEpY0MdgrSr
	  rz4wHx8qXs30E1s/GBe+la2P/ZcxLzmnAyMYrIZ6Er6fsr6fWW6FicbexqcerPO9iPqSlmZ6ZB
	  2x32GYAxenbNgUO6NL5piZer2z3aOKpKNo8N6r5o2McUE1xus9ymhTFjgm1zVC6DZa1N1JSFfZ
	  QSaplo4J9D4s1pLVSJ0+lgIdUdnYknIRpA/pbM6zOQVQT8hFZ6wu6YteRJScs0FQ+z6QUAe+se
	  oNH6QxEImV5kOYZ14b848NXISqjFADS2RoLmSyGNlxCTng==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:In-Reply-To:Content-Transfer-Encoding
	:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=ZGWlxCidXoVOmwc0TYoAoJ38fzzSFO6AviEC8nzAbD0=; b=GHgJ8eTi2lH9ssjN91V7Usc7pH
	/87mc8IWGCyyCOgSf0uSuDpNmqo1MF91x/0zE5eaUnzDOwwaL520gkoa53gnyk+TFZUNplIMyIp8d
	Xbfpb8SjwFBZDKshqaIuTHMDyr+6IqkfzGUT/6BChu5+js8rJSPMzzr0oR3dOeDtc5akReWf63p+0
	Dt7ybrMjiLniMC8+LL5/dGsvz4S8y1Ea1tKkoN4YZRQmFuI2PGDSPDddmzht7BbiF0/tFnUaq2d+1
	ThD9Vi12x6xkGuV5qWkZml0SkqQ3JiVO3yI9h77PB2lCNq15YUa3yyl1yjL7EOyIdEoRGvX1lZLlJ
	TmeRn25w==;
Received: from authenticated user by zero.zsh.org with local 
	id 1ktq2t-000MbL-Ni; Mon, 28 Dec 2020 10:46:35 +0000
Authentication-Results: zsh.org;
	iprev=pass (out2-smtp.messagingengine.com) smtp.remote-ip=66.111.4.26;
	dkim=pass header.d=daniel.shahaf.name header.s=fm2 header.a=rsa-sha256;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.a=rsa-sha256;
	dmarc=none header.from=daniel.shahaf.name;
	arc=none
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:35881)
	by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	id 1ktq2a-000MSi-0M; Mon, 28 Dec 2020 10:46:17 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.nyi.internal (Postfix) with ESMTP id 4CCD45C00ED;
	Mon, 28 Dec 2020 05:46:15 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute3.internal (MEProxy); Mon, 28 Dec 2020 05:46:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	daniel.shahaf.name; h=date:from:to:cc:subject:message-id
	:references:mime-version:content-type:content-transfer-encoding
	:in-reply-to; s=fm2; bh=ZGWlxCidXoVOmwc0TYoAoJ38fzzSFO6AviEC8nzA
	bD0=; b=S2uHw8Gw5CFl1rP1UjSdKz9VU1zhDpmfkuLjcIRJXXa+EwfIy85FrsOg
	oXwHtdoJR6fSOWVkdxutPJaTWor840OLrvk8cJvCK1tybuKmGut1zgtCV8+Fekr7
	ppNkx6vS3R+B9AJE5YcBSWs4ljPukqkALm3aGgKbpImiScxey+oQbB8PR005Jzkf
	PZdG9V7jARmacrAcK87j99hIOsG3kX3amm9LiB6uu+g6BN5vbxnCpeREqIC62Pft
	JGxONcwwef4tEec215nsJftx3ABNqVlHTqZXIgnIxVK/k7L1eSuGAOvXlCJc2izA
	qycnDrf2Jw37jnEp0PnbcwHgDkq9MA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; bh=ZGWlxCidXoVOmwc0TYoAoJ38fzzSFO6AviEC8nzAb
	D0=; b=dIfUIWhNMuLNIdu9bmpc88NZ1T3cSDF/9IxY3nnACckgUu3tV7yEqsIJi
	GM4T4wRJzj715IcW1BZ1MW6yBTvS90+WurMrxQdWLomWUgYEnEPd9q16DIC5f0DZ
	j+H6Le8rYABySKfkdR/iEMJ3K6YTl6nM7tT6nQdFo8Kh+YVi1tWTXhFDaKr+4A+T
	0H13l8Qj1zBKGSWSZHKBz609R+OCukqT9ElIQL7UyE/CC4RK+o4XYc8o/YPysj0A
	PbGQe4nb7rD65OO2HouPnDyJcpYGRNd4pxm4bn+vKIurKFP81tAbviPPom/XtUms
	7Wi4g0zseKvSQW4XHFOdqCZMLlyKw==
X-ME-Sender: <xms:drfpX7ayhjtL0MHx9W0WZpnLaFWUUwsubU8XQp-M4TVYQ9JUkvLWQg>
    <xme:drfpX6a3pzhFhek5nx1gYvZTlXJ3DJs1ZqixRsImX0oYxnPSva4cEDsJjG901e7D_
    ShFZg6jBsSU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdduledgvdduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepfffhvffukfhfgggtugfgjggfsehtkedttddtreejnecuhfhrohhmpeffrghn
    ihgvlhcuufhhrghhrghfuceougdrshesuggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgvqe
    enucggtffrrghtthgvrhhnpeefuddvledtveegtdffveduieegvdduledufedtudevfeeu
    feffkeduffeltddtveenucffohhmrghinhepshhouhhrtggvfhhorhhgvgdrnhgvthdpsh
    gvtghurhhithihthigthdrohhrghenucfkphepuddtledrieeirdekgedrudehleenucev
    lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurdhssegurg
    hnihgvlhdrshhhrghhrghfrdhnrghmvg
X-ME-Proxy: <xmx:drfpX9-t0AYGkZ7EIAgQmc0bH9QM9EWYdnSag15QKKLxt38LnCC-aA>
    <xmx:drfpXxrOh1Nkx9wMgPXCFnRGzN8wKFncooUV-hTkPNwFNp1ab4DpyQ>
    <xmx:drfpX2rhOVy0Lg03k6MpqT_TMCKZev0qONFqPeKf6VFluqrOzGAPSQ>
    <xmx:d7fpXz1--r8yuC1p9B-LBay5ILd0nmut3rHyubhVBA20hsmvatyytA>
Received: from tarpaulin.shahaf.local2 (bzq-109-66-84-159.red.bezeqint.net [109.66.84.159])
	by mail.messagingengine.com (Postfix) with ESMTPA id 8BC4D108005C;
	Mon, 28 Dec 2020 05:46:14 -0500 (EST)
Received: by tarpaulin.shahaf.local2 (Postfix, from userid 1005)
	id 4D4Djw6spgz4cv; Mon, 28 Dec 2020 10:46:12 +0000 (UTC)
Date: Mon, 28 Dec 2020 10:46:12 +0000
From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: =?iso-8859-1?Q?J=E9r=E9mie?= Roquet <jroquet@arkanosis.net>
Cc: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: Security
Message-ID: <20201228104612.GC10030@tarpaulin.shahaf.local2>
References: <paAbf-KNB0KbNKpcW3QUwRieHYlcjHX1JUBuWrVKyRFxy3huAGdvLPpI3AarFSLDymL3AP4TfrD_Pusx13LQUUoAxYUBOWasBoMDvSPvppk=@protonmail.com>
 <CAFOazAPaNLP6Yg6krO7mtcSrgoj=+rmg-=Awc-ju8rBfqKykUQ@mail.gmail.com>
 <9ukE0EnlTIntEcJ7b7nLSoq5E3XfeB-HtfyHk1Vmzoh_NojpSpL_amjhCixUBdb164pmStO4by1oduUBR0zCJpK0xGzrh2uz42flRXt96-8=@protonmail.com>
 <X+N714veDei3MIVm@andrew.cmu.edu>
 <Uzy4-LW1s3eKrllB-zw35G-ORZsJNQl6uPzDhishTuzE-QC_Hir0nOOi00r5bRdlm-N9GbNJL9gGifBuXxQt8QKlz7yATk4Ah4bxVqOjQKM=@protonmail.com>
 <a5f44f89-bec5-487d-aee3-8c4eb4f521fa@www.fastmail.com>
 <X+kBRpTydSUosZNw@fullerene.field.pennock-tech.net>
 <CAFOazAOFxerpsmFB6QKMa1krjDu9Ke3G+Z4vYrz=sHY9bpYHBQ@mail.gmail.com>
 <X+kasJvMFivCnBmR@fullerene.field.pennock-tech.net>
 <CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD=iBXxmhg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD=iBXxmhg@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Seq: 47767
Archived-At: <https://zsh.org/workers/47767>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <mailto:sympa@zsh.org?subject=help>
List-Subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-workers>
List-Unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>
Archived-At: <http://www.zsh.org/sympa/arcsearch_id/zsh-workers/2020-12/20201228104612.GC10030%40tarpaulin.shahaf.local2>

Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> Le lun. 28 déc. 2020 à 00:37, Phil Pennock
> <zsh-workers+phil.pennock@spodhuis.org> a écrit :
> >
> > On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > > Daniel, Phil, would it be possible to advertise for this new list on
> > > the mailing lists page?
> > >
> > >   http://zsh.sourceforge.net/Arc/mlist.html
> >
> > Theoretically done.  I don't know how much caching there is inside
> > SourceForge, but the git repo has been updated and the website content
> > has been rsync'd.
> 
> That's visible for me now. Thank you!
> 
> > > … and maybe set up a security.txt as well?
> > >
> > >   https://securitytxt.org/
> > >
> > > That's not yet a widely recognized standard, but I believe someone
> > > unfamiliar with a project yet familiar with security would start by
> > > looking there if there's is a contact address.
> >
> > This one is not my call to make.  I like the general idea and use it for
> > my own site (which ~nobody cares about) but I'm not going to deploy
> > without other folks mulling it over first.
> 
> That's fair. So, for anyone wondering what this security.txt thing is
> about: it's a single file made available at
> $DOMAIN/.well-known/security.txt, in which some predefined fields can
> / should be filled in, such as an email address to use to report
> security issues. This mostly used to report issues on websites rather
> than in software, but I believe it's a place where people into
> security will look at anyway if they are trying to find a contact
> address (possibly before looking at the website itself). The
> specification is intended to become a standard

Are you sure about this?  The Internet Draft's "Intended status" is
"Informational", as opposed to "Standards track".

> but isn't yet; its ability to become one is also driven by its adoption, of
> course (the usual chicken-and-egg problem).

Cheers,

Daniel