Add security page #123
Add security page #123
Conversation
|
r? @pcwalton (rust_highfive has picked a reviewer for you, use r? to override) |
| hours indicating the next steps in handling your report. If you would like, you | ||
| can encrypt your report using <a href="rust-key.gpg.ascii">our public key</a>. | ||
| This key is also <a | ||
| href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0xEFB9860AE7520DAC">On |
There was a problem hiding this comment.
Please fix the unescaped & here and in the other pgp.mit.edu links
There was a problem hiding this comment.
@jruderman why would this need to be escaped?
There was a problem hiding this comment.
It needs to be & instead of &, as it's part of an HTML attribute. In fact, if you open up http://www.rust-lang.org/security.html in Firefox and view the source, you'll see the & is highlighted in red right now because it's invalid.
There was a problem hiding this comment.
I feel... really dumb. I guess I'm so used to frameworks generating this for me, that I always thought it would need to be escaped in text, but not as part of an <a>. https://validator.w3.org/check?uri=http%3A%2F%2Fwww.rust-lang.org%2Fsecurity.html&charset=%28detect+automatically%29&doctype=Inline&group=0 points this out too.
There was a problem hiding this comment.
For what it’s worth, it’s an authoring requirement in the HTML spec to escape & there, but there’s also a implementation requirement in the spec for parsers to fix it up so that the end the result is the same. So the concern is mostly theoretical.
|
Can we spell out explicitly that anything allowing breaking memory safety in safe rust code is a security issue? It's unclear to me if the intention is just rustc & other applications and regular security holes in them (what that would be) or something more directly relating to the safety properties of the language itself. Also: Does it in that case apply to only the stable channel, or other channels too? If I don't get it, others might be confused as well. |
|
@bluss I wanted to make the topic of what should be a security bug be an RFC we discuss, but have this page up in the meantime. |
|
@brson other than the few nits, are you okay with merging this? |
|
@steveklabnik yes |
|
I merged this so we could see http://www.rust-lang.org/security.html , but it's not linked from anywhere yet. @jruderman , after I hear from you regarding the escaping issue, i'll make another PR linking it from the homepage. |
Not quite ready to merge. We need the notifications mailing list, and for #120 to link to it, so we'll probably merge this shortly after that lands.