diff --git a/CHANGES.rst b/CHANGES.rst index c958ef9b..25b6ad6d 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,11 +9,15 @@ v0.6.0 (unreleased) Announcements ^^^^^^^^^^^^^ -* `miranda` boilerplate code is now versioned with `cruft `_ and the `Ouranosinc/cookiecutter-pypackage `_ template. +* `miranda` boilerplate code is now versioned with `cruft `_ and the `Ouranosinc/cookiecutter-pypackage `_ template. + +Internal changes +^^^^^^^^^^^^^^^^ +* `miranda` now has a security policy (`SECURITY.md`) for disclosing sensitive issues using secure communication channels. This has also been added to the documentation. v0.5.0 (2023-06-19) ------------------- -Contributors to this version: Juliette Lavoie (:user: `juliettelavoie`), Trevor James Smith (:user:`Zeitsperre`). +Contributors to this version: Juliette Lavoie (:user:`juliettelavoie`), Trevor James Smith (:user:`Zeitsperre`). New features ^^^^^^^^^^^^ diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..2f2cfb5e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security Policy + +## Supported Versions + +`miranda` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `miranda` version, the last supported version will receive a patch release. + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability in `miranda`, we encourage you to let us know right away. We take all security vulnerabilities seriously and appreciate your efforts to responsibly disclose them. + +Please follow these steps to report a security vulnerability: + +1. **Email**: Email [github-support@ouranos.ca](mailto:github-support@ouranos.ca) with a detailed description of the vulnerability. If applicable, please include any steps or a proof-of-concept to help us understand and reproduce the issue. + +2. **Encryption (Optional)**: If you are concerned about the sensitivity of the information you are sharing, you can use the PGP key found below to encrypt your communication. + +3. **Response**: We will acknowledge your email within 48 hours and work with you to understand and confirm the vulnerability. + +4. **Fix and Disclosure**: Once the vulnerability is confirmed, we will work to address it promptly. We appreciate your patience as we investigate and implement a fix. Once resolved, we will coordinate the disclosure and provide credit to the reporter unless they prefer to remain anonymous. + +## PGP Encryption Key + +You can use the following PGP key to encrypt your communications with us: + + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEZamQrhYJKwYBBAHaRw8BAQdA+saPvmvr1MYe1nQy3n3QDcRE9T7UzTJ1XH31 + EI4Zb6u0Mk91cmFub3MgR2l0SHViIFN1cHBvcnQgPGdpdGh1Yi1zdXBwb3J0QG91 + cmFub3MuY2E+iJkEExYKAEEWIQSeAu+Cbjupx79jy9VeVFD6o5TVcwUCZamQrgIb + AwUJCWYBgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBeVFD6o5TVc4ho + AQDXjDkx0b3A7yl6PQ4hBJ2uYzw0UWbml7mUwVdhMmdZkQD/VJZQNWrCQeOtYEM8 + icZJYwR/OsKFOWqlDytusGGtjwa4OARlqZCuEgorBgEEAZdVAQUBAQdAa41Zabjz + P9O+p6tI69Cnft6U5om3+qCcMo8amTqauH0DAQgHiH4EGBYKACYWIQSeAu+Cbjup + x79jy9VeVFD6o5TVcwUCZamQrgIbDAUJCWYBgAAKCRBeVFD6o5TVcwmaAQClDxW6 + 2gir7lhRXAcO+vmRImpGd29TrkcQVh+ak7VlwQEA706d7Kusiorlf/h8pLSoNMmS + kuLGmHpUJ8NVGppU+wo= + =wuxr + -----END PGP PUBLIC KEY BLOCK----- diff --git a/docs/conf.py b/docs/conf.py index 50f3e2e8..19c8d58f 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -43,6 +43,7 @@ "sphinx.ext.viewcode", "sphinx_codeautolink", "sphinx_copybutton", + "sphinx_mdinclude", "nbsphinx", "IPython.sphinxext.ipython_console_highlighting", ] @@ -107,7 +108,7 @@ # built documents. # # The short X.Y version. -version = miranda.__version__ +version = miranda.__version__.split("-")[0] # The full version, including alpha/beta/rc tags. release = miranda.__version__ diff --git a/docs/index.rst b/docs/index.rst index 4fac9f3f..bbd66d81 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -11,6 +11,7 @@ Welcome to miranda's documentation! contributing authors changes + security license .. toctree:: diff --git a/docs/security.rst b/docs/security.rst new file mode 100644 index 00000000..f9a52196 --- /dev/null +++ b/docs/security.rst @@ -0,0 +1 @@ +.. mdinclude:: ../SECURITY.md diff --git a/environment-docs.yml b/environment-docs.yml index 44fcd965..259fcd80 100644 --- a/environment-docs.yml +++ b/environment-docs.yml @@ -13,4 +13,5 @@ dependencies: - sphinx-codeautolink - sphinx-copybutton - sphinx-intl + - sphinx-mdinclude - sphinxcontrib-napoleon diff --git a/pyproject.toml b/pyproject.toml index b4df4362..e510de03 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -75,6 +75,7 @@ docs = [ "sphinx_codeautolink", "sphinx_copybutton", "sphinx-intl", + "sphinx-mdinclude", "sphinxcontrib-napoleon", "nbsphinx", "pandoc",