You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Benjamin Marwell <bm...@apache.org> on 2022/11/20 17:49:22 UTC
.well-known/security.txt at maven.apache.org
Hi!
Due to the recent GH activities (eg [1]), it came to my attention that
there is no file ".well-known/security.txt" on maven.apache.org.
We really should adopt it!
For some more information, please refer to [2].
WDYT?
- Ben
[1]: https://github.com/apache/maven-project-utils/pull/5
[2]: https://developer.okta.com/blog/2021/10/19/intro-security-txt
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: .well-known/security.txt at maven.apache.org
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Oh missed the publication!
Then +1 to link to asf security page.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le dim. 20 nov. 2022 à 19:38, Benjamin Marwell <bm...@apache.org> a
écrit :
> It is not a draft:
> https://datatracker.ietf.org/doc/html/rfc9116
>
> Source:
> https://securitytxt.org
>
> Yes, I know apache.org has their own page, and I would not add any
> contradicting information. In fact, there's a policy field taking an
> URL which should point to the apache.org policy
> (https://www.apache.org/security/#reporting-a-vulnerability).
>
> -Ben
>
> Am So., 20. Nov. 2022 um 19:32 Uhr schrieb Romain Manni-Bucau
> <rm...@gmail.com>:
> >
> > Hi,
> >
> > AFAIK it is still a draft which can not go anywhere (or go elsewhere like
> > .security/ for some exposure reason since .well-known already has
> adoption
> > and rules) and I didn't see it much adopted yet. However at apache we
> have
> > kind of standards for that so isn't it too early to adopt it?
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <https://rmannibucau.metawerx.net/> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
> >
> >
> > Le dim. 20 nov. 2022 à 18:48, Benjamin Marwell <bm...@apache.org> a
> > écrit :
> >
> > > Hi!
> > >
> > > Due to the recent GH activities (eg [1]), it came to my attention that
> > > there is no file ".well-known/security.txt" on maven.apache.org.
> > >
> > > We really should adopt it!
> > > For some more information, please refer to [2].
> > >
> > > WDYT?
> > >
> > > - Ben
> > >
> > > [1]: https://github.com/apache/maven-project-utils/pull/5
> > > [2]: https://developer.okta.com/blog/2021/10/19/intro-security-txt
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > For additional commands, e-mail: dev-help@maven.apache.org
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: .well-known/security.txt at maven.apache.org
Posted by Benjamin Marwell <bm...@apache.org>.
It is not a draft:
https://datatracker.ietf.org/doc/html/rfc9116
Source:
https://securitytxt.org
Yes, I know apache.org has their own page, and I would not add any
contradicting information. In fact, there's a policy field taking an
URL which should point to the apache.org policy
(https://www.apache.org/security/#reporting-a-vulnerability).
-Ben
Am So., 20. Nov. 2022 um 19:32 Uhr schrieb Romain Manni-Bucau
<rm...@gmail.com>:
>
> Hi,
>
> AFAIK it is still a draft which can not go anywhere (or go elsewhere like
> .security/ for some exposure reason since .well-known already has adoption
> and rules) and I didn't see it much adopted yet. However at apache we have
> kind of standards for that so isn't it too early to adopt it?
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <https://www.packtpub.com/application-development/java-ee-8-high-performance>
>
>
> Le dim. 20 nov. 2022 à 18:48, Benjamin Marwell <bm...@apache.org> a
> écrit :
>
> > Hi!
> >
> > Due to the recent GH activities (eg [1]), it came to my attention that
> > there is no file ".well-known/security.txt" on maven.apache.org.
> >
> > We really should adopt it!
> > For some more information, please refer to [2].
> >
> > WDYT?
> >
> > - Ben
> >
> > [1]: https://github.com/apache/maven-project-utils/pull/5
> > [2]: https://developer.okta.com/blog/2021/10/19/intro-security-txt
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: .well-known/security.txt at maven.apache.org
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi,
AFAIK it is still a draft which can not go anywhere (or go elsewhere like
.security/ for some exposure reason since .well-known already has adoption
and rules) and I didn't see it much adopted yet. However at apache we have
kind of standards for that so isn't it too early to adopt it?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le dim. 20 nov. 2022 à 18:48, Benjamin Marwell <bm...@apache.org> a
écrit :
> Hi!
>
> Due to the recent GH activities (eg [1]), it came to my attention that
> there is no file ".well-known/security.txt" on maven.apache.org.
>
> We really should adopt it!
> For some more information, please refer to [2].
>
> WDYT?
>
> - Ben
>
> [1]: https://github.com/apache/maven-project-utils/pull/5
> [2]: https://developer.okta.com/blog/2021/10/19/intro-security-txt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>