Skip to content

/prev.rust-lang.org

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security page #123

Merged
merged 1 commit into from May 24, 2015

Conversation

Reviewers
No reviews
Assignees

@pcwalton pcwalton

Labels
None yet
Projects
None yet
Milestone
No milestone
8 participants
@steveklabnik @rust-highfive @bluss @brson @SimonSapin @reedloden @jruderman @pcwalton
@steveklabnik
Copy link
Member

steveklabnik commented May 15, 2015

Not quite ready to merge. We need the notifications mailing list, and for #120 to link to it, so we'll probably merge this shortly after that lands.

@rust-highfive rust-highfive assigned pcwalton May 15, 2015

@rust-highfive

This comment has been minimized.

Sign in to view
Copy link

rust-highfive commented May 15, 2015

r? @pcwalton

(rust_highfive has picked a reviewer for you, use r? to override)
security.html
hours indicating the next steps in handling your report. If you would like, you
can encrypt your report using <a href="rust-key.gpg.ascii">our public key</a>.
This key is also <a
href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0xEFB9860AE7520DAC">On

This comment has been minimized.

Sign in to view
Copy link
@jruderman

jruderman May 15, 2015

Please fix the unescaped & here and in the other pgp.mit.edu links

This comment has been minimized.

Sign in to view
Copy link
@steveklabnik

steveklabnik May 24, 2015

Author Member

@jruderman why would this need to be escaped?

This comment has been minimized.

Sign in to view
Copy link
@reedloden

reedloden May 24, 2015

It needs to be &amp; instead of &, as it's part of an HTML attribute. In fact, if you open up http://www.rust-lang.org/security.html in Firefox and view the source, you'll see the & is highlighted in red right now because it's invalid.

This comment has been minimized.

Sign in to view
Copy link
@steveklabnik

steveklabnik May 24, 2015

Author Member

I feel... really dumb. I guess I'm so used to frameworks generating this for me, that I always thought it would need to be escaped in text, but not as part of an <a>. https://validator.w3.org/check?uri=http%3A%2F%2Fwww.rust-lang.org%2Fsecurity.html&charset=%28detect+automatically%29&doctype=Inline&group=0 points this out too.

This comment has been minimized.

Sign in to view
Copy link
@steveklabnik

steveklabnik May 24, 2015

Author Member

continued in #142

This comment has been minimized.

Sign in to view
Copy link
@SimonSapin

SimonSapin May 25, 2015

Contributor

For what it’s worth, it’s an authoring requirement in the HTML spec to escape & there, but there’s also a implementation requirement in the spec for parsers to fix it up so that the end the result is the same. So the concern is mostly theoretical.
security.html Outdated

<ul>
<li>Contact the current security coordinator (<a href="mailto:steve@steveklabnik.com">Steve Klabnik</a> (<a href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDAE717EFE9424541">public key</a>)) directly.</li>
<li>Contact the back-up contact (<a href="mailto:andersrb@gmail.com"></a> (<a href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0x16457A6368CFF26F">public key</a>)) directly.</li>

This comment has been minimized.

Sign in to view
Copy link
@jruderman

jruderman May 15, 2015

This mailto link is missing anchor text.
security.html Outdated
descriptive subject line to avoid having your report be missed. After the
initial reply to your report, the security team will endeavor to keep you
informed of the progress being made towards a fix and full announcement. As
recommended by <a href="http://en.wikipedia.org/wiki/RFPolicy">RFPolicy</a>,

This comment has been minimized.

Sign in to view
Copy link
@jruderman

jruderman May 15, 2015

Wikipedia link should use HTTPS
security.html
can take:</p>

<ul>
<li>Contact the current security coordinator (<a href="mailto:steve@steveklabnik.com">Steve Klabnik</a> (<a href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0xDAE717EFE9424541">public key</a>)) directly.</li>

This comment has been minimized.

Sign in to view
Copy link
@jruderman

jruderman May 15, 2015

Having to combine a mailto link with a separate public key link seems suboptimal. Is there a way to include a public key in a mailto link? Or could you provide a web-based form?

This comment has been minimized.

Sign in to view
Copy link
@steveklabnik

steveklabnik May 24, 2015

Author Member

There isn't a good way to include it, no.
@bluss

This comment has been minimized.

Sign in to view
Copy link

bluss commented May 24, 2015

Can we spell out explicitly that anything allowing breaking memory safety in safe rust code is a security issue? It's unclear to me if the intention is just rustc & other applications and regular security holes in them (what that would be) or something more directly relating to the safety properties of the language itself.

Also: Does it in that case apply to only the stable channel, or other channels too?

If I don't get it, others might be confused as well.
@steveklabnik

This comment has been minimized.

Sign in to view
Copy link
Member Author

steveklabnik commented May 24, 2015

@bluss I wanted to make the topic of what should be a security bug be an RFC we discuss, but have this page up in the meantime.
@steveklabnik

This comment has been minimized.

Sign in to view
Copy link
Member Author

steveklabnik commented May 24, 2015

@brson other than the few nits, are you okay with merging this?
@brson

This comment has been minimized.

Sign in to view
Copy link
Contributor

brson commented May 24, 2015

@steveklabnik yes

@steveklabnik steveklabnik force-pushed the steveklabnik:security branch from b588fda to d372044 May 24, 2015

steveklabnik added a commit that referenced this pull request May 24, 2015

@steveklabnik
Merge pull request #123 from steveklabnik/security 
Add security page
8e72a1f

@steveklabnik steveklabnik merged commit 8e72a1f into rust-lang:gh-pages May 24, 2015

@steveklabnik

This comment has been minimized.

Sign in to view
Copy link
Member Author

steveklabnik commented May 24, 2015

I merged this so we could see http://www.rust-lang.org/security.html , but it's not linked from anywhere yet. @jruderman , after I hear from you regarding the escaping issue, i'll make another PR linking it from the homepage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.