GitoxideLabs-related updates other than URLs in this repo #1632
Comments
Byron
added
the
C-tracking-issue
|
Thanks a lot for setting this up, it's very much appreciated and compensates very well for my loose playbook on making this 'radical' move.
Maybe this could be adjusted to mention 'me' by name so people can still figure out how to send an email.
I agree that especially since a permanent redirect exists, there is no need to proactively change URLs in advisories. It seems like a good idea to only do so when an edit is required for other reasons as it's convenient then with minimal overhead. I hope with these notes, the remaining two checkboxes can be resolved. |
This doesn't change the contact, just rewords it to avoid possible future ambiguity, now that the repository is in an org. See GitoxideLabs#1632.
I've opened #1633 for this. |
Uh oh!
There was an error while loading. Please reload this page.
This repository was moved from
Byron/gitoxidetoGitoxideLabs/gitoxidewhen the GitoxideLabs organization was created, as described in #1406. Not all references have to be updated immediately and some never need to be updated, becauseByron/gitoxideURLs redirect to the new URL, which I think will remain in place for a very long time (ideally, for at least as long asGitoxideLabsURLs themselves work). Nonetheless there is a benefit to referring people to the canonical URL.#1624 makes these changes where applicable inside files in this repository, which also indirectly takes care of updating them in a number of other places; for example, information on crates.io will have the new repository URLs for subsequent crate releases. But there are a few more things that may benefit from being updated. I propose:
SECURITY.md(#1633)Summary metadata in mirrors
The Codeberg mirror has the summary/about text:
The gitee mirror has the summary/about text:
I suggest updating them both to this, or something much like it:
Ambiguity in
SECURITY.mdThis is unrelated to hyperlinks, arising differently from moving the repository into the newly created GitoxdeLabs org. The second paragraph has been unambiguous, even when read by someone with very minimal familiarity with the project:
In my opinion, this is a very useful thing to have. I furthermore recognize the benefit of having one fewer heavily indexed place with that email address, as well as the benefit of its indirectness to foregrounding the primary approach of making a draft advisory through the GitHub interface.
However, now that the repository is under an org rather than a specific user (you), people with very low familiarity with the project--which could happen if someone unfamiliar with this project discovers a vulnerability in gitoxide while using an application that uses it--may not immediately know who "my" is.
This is a very low risk, especially right now--right now, the risk is effectively zero, because there are no other actors with @icloud.com email addresses associated with any commits in the history of gitoxide's main branch.
References in advisories
There are three kinds of relevant advisories: repository-level GHSA advisories, global GHSA advisories (in the GitHub Advisory Database), and RUSTSEC advisories.
It seems to me that, when already editing an advisory for another reason, it would be a good idea to update the links, and otherwise they need not be updated. Exceptions to this could be made on an ad-hoc basis motivated by need or convenience.
I don't think we need an actual policy about this, but the above suggestion is not necessarily the only reasonable approach, and I will tend to lean toward following it unless I know I shouldn't.
The text was updated successfully, but these errors were encountered: