-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #854
Create SECURITY.md #854
Conversation
w3c:v1.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a generic SECURITY.md file is probably not helpful at this point in time. This is something that other W3C specifications don't do, AFAIK.
There are only two versions of VCs (1.0 and 1.1), and both are supported at present, AFAIK. Reporting a vulnerability is a good thing to have, but it's noted in the specification (raise an issue).
Largely, -1 to this PR because it's generic and having multiple places w/ the same information can be problematic as the Editors will forget to update all the places over time.
-1 from me as well. If the specification itself has an issue it should be raised as an issue and addressed via proper discussions rather than a limited number of people finding out about it IMO. These security documents are more useful for implementations I'd think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the WG does decide this is needed (-1 from me and the other editor so far) then the text needs to be updated to be more specific than the generic text included at the moment.
@pavelkorablev6 -- Different people will approach this project and its information in different ways. Might I suggest, therefore, that @pavelkorablev6 modify the Given those changes, I would think that adding a reciprocal comment to the HTML source of the Data Model document, which points to this |
@TallTed wrote:
I'm afraid that I would almost certainly miss that pointer in the HTML source. It's exceedingly easy to miss content like that, which is why we tend to prefer content in one location to make sure we don't screw things up over time. Working memory fades rapidly, and SECURITY.md is not a part of many Editor's workflows at W3C, so unless we can automate this (and we have bigger fish to fry here), I suggest we just drop it entirely. The place for this information is in the Status of the Document section and the README.md file. Almost all of the thousands of W3C repos don't use SECURITY.md to my knowledge. I appreciate that we're trying to find a way to pull in @pavelkorablev6's PR, but in this instance, I think it does more harm than good. That said, I wouldn't be averse to putting this information in README.md, but what that should really do is just duplicate the Status of the Document section verbatim... which tells people how to engage w/ issues/PRs/etc. |
That seems a reasonable solution, given which I wouldn't mind also having |
Marking this PR as "close after 7 days". The individual that raised the PR is non-responsive and it does not look like this PR is going to be accepted in it's current form. This PR will be closed after February 6th 2022. |
closing this PR - it's been 10 days since the label was added. |
w3c:v1.1