Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update RTD security docs #3641

Merged
merged 2 commits into from Feb 22, 2018
Merged

Conversation

@davidfischer
Copy link
Contributor

@davidfischer davidfischer commented Feb 19, 2018

Fixes #3637

Copy link
Member

@humitos humitos left a comment

I like it!

Just left a question to understand how the well-known URI is used (not a blocker)

Loading

@@ -34,6 +34,8 @@
url(r'^$', HomepageView.as_view(), name='homepage'),
url(r'^support/', SupportView.as_view(), name='support'),
url(r'^security/', TemplateView.as_view(template_name='security.html')),
url(r'^.well-known/security.txt',
Copy link
Member

@humitos humitos Feb 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? Who uses it? How?

(I read the RFC at https://tools.ietf.org/html/rfc5785 but I don't understand the use case)

Loading

Copy link
Contributor Author

@davidfischer davidfischer Feb 20, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should have put more details. A security.txt file is not yet a standard but may be. It has been submitted to become an RFC. The goal of it is that it is a standard place where a security researcher can find the right place to disclose an issue.

https://securitytxt.org/

Loading

Copy link
Member

@ericholscher ericholscher left a comment

👍 -- only bit is we need to make sure we can actually read the email from the PGP key :)

Loading


You may use this `PGP key`_ to securely communicate with us and to verify signed messages you receive from us.

.. _PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71337C3047A1B066
Copy link
Member

@ericholscher ericholscher Feb 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is my PGP key, and I'm not confident I still have access to it. Perhaps we should generate a new one via keybase or something, perhaps that we can share with the team?

Loading

Copy link
Contributor Author

@davidfischer davidfischer Feb 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, if you don't have access to it that is definitely a problem. I'll create a new one and share the key.

Loading

Security issue archive
~~~~~~~~~~~~~~~~~~~~~~

It's only a matter of time...
Copy link
Member

@ericholscher ericholscher Feb 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep :/

Loading

@davidfischer
Copy link
Contributor Author

@davidfischer davidfischer commented Feb 21, 2018

The security@ email is now live

Loading

@@ -0,0 +1 @@
Policy: https://docs.readthedocs.io/en/latest/security.html
Copy link
Member

@humitos humitos Feb 21, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the official page, https://securitytxt.org/ I found that there are more fields we can add here:

Contact:
Encryption: 
Acknowledgements: 
Policy: 
Signature: 
Hiring: 

Contact, Ecryptation and Signature are good candidates I think.

Loading

@davidfischer
Copy link
Contributor Author

@davidfischer davidfischer commented Feb 21, 2018

I have generated the new GPG key and I'll push an update here once it has been received by the key servers.

Loading

@davidfischer
Copy link
Contributor Author

@davidfischer davidfischer commented Feb 21, 2018

The key has been updated and this is ready to go.

Loading

@ericholscher ericholscher merged commit 6317e06 into readthedocs:master Feb 22, 2018
1 check passed
Loading
@ericholscher
Copy link
Member

@ericholscher ericholscher commented Feb 22, 2018

🎆

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants