Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add SECURITY.md #547

Merged
merged 1 commit into from
Mar 10, 2021
Merged

add SECURITY.md #547

merged 1 commit into from
Mar 10, 2021

Conversation

pinheadmz
Copy link
Member

Closes #199

@pinheadmz pinheadmz requested a review from chjj January 28, 2021 19:17
@coveralls
Copy link

coveralls commented Jan 28, 2021
edited
Loading

Pull Request Test Coverage Report for Build 534851082

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 59.721%
Totals Coverage Status
Change from base Build 534797126: 0.02%
Covered Lines: 19590
Relevant Lines: 30577
💛 - Coveralls

@pinheadmz pinheadmz requested a review from tynes January 28, 2021 19:24
tynes
tynes reviewed Feb 3, 2021
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
tynes
tynes reviewed Feb 3, 2021
View reviewed changes
SECURITY.md Show resolved Hide resolved
tynes
tynes requested changes Feb 3, 2021
View reviewed changes
Copy link
Contributor

@tynes tynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides the two comments, I think another possibility would be to include the pubkeys themselves directly in the SECURITY.md. This means that there is a chance they could go stale as it would be another place to have to remember to update them. Having them in git is kind of nice though

@pinheadmz
Copy link
Member Author

Added my own email and key, and specified a keyserver in the example command where both my and JJs key can be downloaded. I think that and keybase are sufficient sources. Both of those systems are well-known PKI and users may have social "connections" or trusted peers in common, etc which I think is a bit more pro than hosting the keys inside the git repo. Keybase in particular also verifies twitter, reddit and github so I think thats a good way to serve the keys.

@pinheadmz pinheadmz merged commit b1d5ff3 into handshake-org:master Mar 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rithvikvibhu rithvikvibhu rithvikvibhu left review comments

@tynes tynes tynes requested changes

@chjj chjj Awaiting requested review from chjj

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SECURITY.md
4 participants
@pinheadmz @coveralls @rithvikvibhu @tynes