From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 6590 invoked from network); 28 Dec 2020 00:11:42 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 28 Dec 2020 00:11:42 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1609114302;
	 b=qq7S9TpKG+4GFmadggkZI9G5zRG9L0Hq4nmkY1dcaguep1no8Y8M+Unvc95s7LHDnP3tOOaMgS
	  Lz/Few3iIGIePuMnkOI6KV2/CHnZxvofcp20w4L9Ae6Uw5jM992cX733zyl0o5yMbrNeKROWsH
	  HyFSoBta6QA40MKWbqLk6T7KOjMyqR5/+3+WjX0dmE9D8/7Xas8+I5mdbSXZhYPnbTTt/OKbLd
	  iqs6dapwmff72DaxlFG6q2zKWZZ5S/BiUk/DRY2XbvCkYJsYxNibWHLtaOleaiF3Cpm1hB0vqe
	  fBxTIo/YST6OYkjyUS8SkF1JF9/+E6oit5v2hvdqf0x/iQ==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (mail-qv1-f45.google.com) smtp.remote-ip=209.85.219.45;
	dmarc=none header.from=arkanosis.net;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1609114302;
	bh=Gz1DnOVYsRxQsoHB9AM+jTT8pWbcHEllcqWX902uK2U=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:Content-Transfer-Encoding:Content-Type:Cc:To:Subject:
	  Message-ID:Date:From:In-Reply-To:References:MIME-Version:DKIM-Signature;
	b=mSCvI4ykLaNyHrrpt65jaepGpLkzaRRgNCM+qVoALKyrx5/R2y3RG3tWJUkKZFEzxBuY7H5WVC
	  t9NPd/QTnuxCu9SI+RRdxeO66HBHppLGrANZVv1mbkdnG5m5ZjFdmzyXf7Psq5HGcxW5af1hOH
	  zJHS8Qb6kQYtAsVqybUsXLB157H2g2ZiXZYg2z9BBAawr6RtFg0R7HKx3XYkodBr9O39G44Ecx
	  nEq2dP6BklkAlfB1n9w/mc0oBe4qtFwA3WjOz2sj+LSzxu91/d01lkEOj6ZYPIKe8gtjvzaZC2
	  67wcu6dd5RzTBlGR2xDJi8exXtRPBaWhBhTZPow/8d5c8Q==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:Content-Transfer-Encoding:
	Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:
	MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=xdi1OwAMDaZAtfRmWxkune+SUjtR72OXSFaxQnTdO/E=; b=1KbMIa7J8j2RX168nPB3omPmyl
	4c0tbQGAtI7q3DYAh9d1xSBV9scih5JFN0nqdRDO2ggxd6JSUN/Rr1MMgWhMLZcSTyDgzTWwxYt2F
	6fxd/BxSH33C5FWqXN5vEJ78wNe4m9JHbydMlfBCnzdjfbeVT1H9CMR/7L9DjbeOOj1lsgHSUscU8
	zZISwCTR6b4MwGxDWA+/TuEX/rFV1692VGPHdk9MIOWKxuB/zMP0QPfvPDgg0Cm5pWFvwNy7BllOq
	OTqGamyH1bMAcR/7Bk13kYxPhpGvB+Is7Uo0bWipqjVdaq9LgNcj4wvhIfzLES0VeuHClcVpwLo+7
	cjfNpG0g==;
Received: from authenticated user by zero.zsh.org with local 
	id 1ktg8T-000Fto-CN; Mon, 28 Dec 2020 00:11:41 +0000
Authentication-Results: zsh.org;
	iprev=pass (mail-qv1-f45.google.com) smtp.remote-ip=209.85.219.45;
	dmarc=none header.from=arkanosis.net;
	arc=none
Received: from mail-qv1-f45.google.com ([209.85.219.45]:38076)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128)
	id 1ktg8A-000Fjl-Q3; Mon, 28 Dec 2020 00:11:24 +0000
Received: by mail-qv1-f45.google.com with SMTP id az16so4377522qvb.5
        for <zsh-workers@zsh.org>; Sun, 27 Dec 2020 16:11:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=xdi1OwAMDaZAtfRmWxkune+SUjtR72OXSFaxQnTdO/E=;
        b=MFLYncUX4kzbkjdl/OOEaIwS5wGu3rJwcLczP1pkh/S7GfixhEHKyPjWQvJ91WCCn2
         hD+sQK3vNE2onEqSrle7Wy93dDrFqqaCQ/W6FujiI1gwF+VSI7Ffmn7+I0SMwH/rmlOa
         64Dc3lKyvoq/mGFVBm/oQiEDo0zAdEXjuPcuPglMSx2gxu9YLYu4s1KLOK/inEpwkrNg
         OUVVotBvfF/ZRTrPE7PNIzA3VaxtXdXy8pqjOAjhGqiJFPBYz4LWU3mIc6Bm9n02WA0L
         Wb20+vMYQ2Sc350+uj3lkRhTJfqBWYA440uEcb/QJm8ogbp5eG+2vCgiQFHjjitsWtCI
         R5eQ==
X-Gm-Message-State: AOAM533DY1Wn81Vj1AFdU6NFOISlJAUHDOyUpBJ+geDu0EGEDWxywMYa
	ljg3llgl8eKu00+iB9hKTTCJh+pA8lM7VmASsO0=
X-Google-Smtp-Source: ABdhPJyapveTNKXt3d2VuN4dlqIVCMywiQNYnfNWBiCTZo7CqwJj8yC7AlhCrHAg1icjCNyevvDYfHW5kRKYs2DtN0E=
X-Received: by 2002:a05:6214:487:: with SMTP id ay7mr45225658qvb.37.1609114281822;
 Sun, 27 Dec 2020 16:11:21 -0800 (PST)
MIME-Version: 1.0
References: <paAbf-KNB0KbNKpcW3QUwRieHYlcjHX1JUBuWrVKyRFxy3huAGdvLPpI3AarFSLDymL3AP4TfrD_Pusx13LQUUoAxYUBOWasBoMDvSPvppk=@protonmail.com>
 <CAFOazAPaNLP6Yg6krO7mtcSrgoj=+rmg-=Awc-ju8rBfqKykUQ@mail.gmail.com>
 <9ukE0EnlTIntEcJ7b7nLSoq5E3XfeB-HtfyHk1Vmzoh_NojpSpL_amjhCixUBdb164pmStO4by1oduUBR0zCJpK0xGzrh2uz42flRXt96-8=@protonmail.com>
 <X+N714veDei3MIVm@andrew.cmu.edu> <Uzy4-LW1s3eKrllB-zw35G-ORZsJNQl6uPzDhishTuzE-QC_Hir0nOOi00r5bRdlm-N9GbNJL9gGifBuXxQt8QKlz7yATk4Ah4bxVqOjQKM=@protonmail.com>
 <a5f44f89-bec5-487d-aee3-8c4eb4f521fa@www.fastmail.com> <X+kBRpTydSUosZNw@fullerene.field.pennock-tech.net>
 <CAFOazAOFxerpsmFB6QKMa1krjDu9Ke3G+Z4vYrz=sHY9bpYHBQ@mail.gmail.com> <X+kasJvMFivCnBmR@fullerene.field.pennock-tech.net>
In-Reply-To: <X+kasJvMFivCnBmR@fullerene.field.pennock-tech.net>
From: =?UTF-8?B?SsOpcsOpbWllIFJvcXVldA==?= <jroquet@arkanosis.net>
Date: Mon, 28 Dec 2020 01:11:10 +0100
Message-ID: <CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD=iBXxmhg@mail.gmail.com>
Subject: Re: Security
To: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
Cc: Daniel Shahaf <d.s@daniel.shahaf.name>, "Zsh Hackers' List" <zsh-workers@zsh.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Seq: 47766
Archived-At: <https://zsh.org/workers/47766>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <mailto:sympa@zsh.org?subject=help>
List-Subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-workers>
List-Unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>
Archived-At: <http://www.zsh.org/sympa/arcsearch_id/zsh-workers/2020-12/CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD%3DiBXxmhg%40mail.gmail.com>

Le lun. 28 d=C3=A9c. 2020 =C3=A0 00:37, Phil Pennock
<zsh-workers+phil.pennock@spodhuis.org> a =C3=A9crit :
>
> On 2020-12-27 at 23:40 +0100, J=C3=A9r=C3=A9mie Roquet wrote:
> > Daniel, Phil, would it be possible to advertise for this new list on
> > the mailing lists page?
> >
> >   http://zsh.sourceforge.net/Arc/mlist.html
>
> Theoretically done.  I don't know how much caching there is inside
> SourceForge, but the git repo has been updated and the website content
> has been rsync'd.

That's visible for me now. Thank you!

> > =E2=80=A6 and maybe set up a security.txt as well?
> >
> >   https://securitytxt.org/
> >
> > That's not yet a widely recognized standard, but I believe someone
> > unfamiliar with a project yet familiar with security would start by
> > looking there if there's is a contact address.
>
> This one is not my call to make.  I like the general idea and use it for
> my own site (which ~nobody cares about) but I'm not going to deploy
> without other folks mulling it over first.

That's fair. So, for anyone wondering what this security.txt thing is
about: it's a single file made available at
$DOMAIN/.well-known/security.txt, in which some predefined fields can
/ should be filled in, such as an email address to use to report
security issues. This mostly used to report issues on websites rather
than in software, but I believe it's a place where people into
security will look at anyway if they are trying to find a contact
address (possibly before looking at the website itself). The
specification is intended to become a standard but isn't yet; its
ability to become one is also driven by its adoption, of course (the
usual chicken-and-egg problem).

Thanks again,

--=20
J=C3=A9r=C3=A9mie