.well-known: import a tentative security.txt
Needs ReviewPublic
Actions

Authored by khorben_defora.org on Dec 5 2024, 9:58 PM.

Details

Reviewers

Group Reviewers

docs
secteam

Summary

The information was gathered by myself, to the best of my knowledge, according to the public information available.

This was obtained with help from the official generator at https://securitytxt.org/.

Diff Detail

Repository

R9 FreeBSD doc repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

khorben_defora.org requested review of this revision.Dec 5 2024, 9:58 PM

khorben_defora.org created this revision.

khorben_defora.org added a reviewer: secteam.Dec 5 2024, 10:01 PM

For me it's ok everything except the FreeBSD Foundations links.
This is for the FreeBSD website, not for the FreeBSD Foundation website

Removed the (optional) links for "any security-related job openings in your organisation."

I really like this concept.
Why are there two policy lines?

This revision is now accepted and ready to land.Dec 5 2024, 11:22 PM

ziaee added inline comments.Dec 5 2024, 11:27 PM

website/static/.well-known/security.txt
9	Maybe? The example in the RFC includes the spec, and I think that's nice.

khorben_defora.org added inline comments.Dec 5 2024, 11:44 PM

website/static/.well-known/security.txt
9	Are you sure? According to https://www.rfc-editor.org/rfc/rfc9116#name-file-format-description-and it does not. I think the examples you refer to are not related to the security.txt file itself, but to IANA's registry for the fields allowed in the file.

In D47933#1092988, @concussious.bugzilla_runbox.com wrote:

I really like this concept.
Why are there two policy lines?

The "Policy" field is part of the fields with "optional repeated instances," allowing multiple alternatives to be specified.

Add descriptions of the fields used, as per the example from securitytxt.org.

This revision now requires review to proceed.Dec 5 2024, 11:51 PM

Also note that the contents of this file can be signed with an OpenPGP clear-text signature by the security team, in order to clearly authenticate it as legitimate.

Oops! You're right. I don't think the field descriptions help it though, the fields are very self explanatory but the comments adds bikeshedable language? This is really an architectural decision for secteam, will certainly result in increased spam, but maybe helpful. So, I'll bow out now.

In D47933#1093012, @concussious.bugzilla_runbox.com wrote:

Oops! You're right. I don't think the field descriptions help it though, the fields are very self explanatory but the comments adds bikeshedable language? This is really an architectural decision for secteam, will certainly result in increased spam, but maybe helpful. So, I'll bow out now.

I was thinking about spam too, however I saw that https://www.freebsd.org/administration/#t-secteam has a whole list of e-mail addresses ready for the taking, so I suppose (or really hope) that every address on this page already has a solid spam filter.

It is true that having the security file makes it easier to locate this specific set of valid e-mail aliases.

On a related note, I wonder if I should add the aliases and policies relevant to security reports affecting the ports tree to the security.txt file.
Thoughts?

lwhsu added a subscriber: lwhsu.Dec 6 2024, 1:24 PM

Revision Contents
Changeset List

Path

Size

website/

static/

.well-known/

security.txt

18 lines

Diff 147555

View Options

website/static/.well-known/security.txt

.well-known: import a tentative security.txtNeeds ReviewPublicActions