New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update RTD security docs #3641

Merged
merged 2 commits into from Feb 22, 2018

Conversation

Projects
None yet
4 participants
@davidfischer
Contributor

davidfischer commented Feb 19, 2018

Fixes #3637

@humitos

I like it!

Just left a question to understand how the well-known URI is used (not a blocker)

@@ -34,6 +34,8 @@
url(r'^$', HomepageView.as_view(), name='homepage'),
url(r'^support/', SupportView.as_view(), name='support'),
url(r'^security/', TemplateView.as_view(template_name='security.html')),
url(r'^.well-known/security.txt',

This comment has been minimized.

@humitos

humitos Feb 20, 2018

Member

Do we need this? Who uses it? How?

(I read the RFC at https://tools.ietf.org/html/rfc5785 but I don't understand the use case)

This comment has been minimized.

@davidfischer

davidfischer Feb 20, 2018

Contributor

I should have put more details. A security.txt file is not yet a standard but may be. It has been submitted to become an RFC. The goal of it is that it is a standard place where a security researcher can find the right place to disclose an issue.

https://securitytxt.org/

@ericholscher

👍 -- only bit is we need to make sure we can actually read the email from the PGP key :)

You may use this `PGP key`_ to securely communicate with us and to verify signed messages you receive from us.
.. _PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71337C3047A1B066

This comment has been minimized.

@ericholscher

ericholscher Feb 21, 2018

Member

I believe this is my PGP key, and I'm not confident I still have access to it. Perhaps we should generate a new one via keybase or something, perhaps that we can share with the team?

This comment has been minimized.

@davidfischer

davidfischer Feb 21, 2018

Contributor

Oh, if you don't have access to it that is definitely a problem. I'll create a new one and share the key.

Security issue archive
~~~~~~~~~~~~~~~~~~~~~~
It's only a matter of time...

This comment has been minimized.

@ericholscher
@davidfischer

This comment has been minimized.

Contributor

davidfischer commented Feb 21, 2018

The security@ email is now live

@@ -0,0 +1 @@
Policy: https://docs.readthedocs.io/en/latest/security.html

This comment has been minimized.

@humitos

humitos Feb 21, 2018

Member

Reading the official page, https://securitytxt.org/ I found that there are more fields we can add here:

Contact:
Encryption: 
Acknowledgements: 
Policy: 
Signature: 
Hiring: 

Contact, Ecryptation and Signature are good candidates I think.

@davidfischer

This comment has been minimized.

Contributor

davidfischer commented Feb 21, 2018

I have generated the new GPG key and I'll push an update here once it has been received by the key servers.

@davidfischer

This comment has been minimized.

Contributor

davidfischer commented Feb 21, 2018

The key has been updated and this is ready to go.

@ericholscher ericholscher merged commit 6317e06 into rtfd:master Feb 22, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@ericholscher

This comment has been minimized.

Member

ericholscher commented Feb 22, 2018

🎆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment