Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update RTD security docs #3641

Merged
merged 2 commits into from
Feb 22, 2018
Merged

Update RTD security docs #3641

merged 2 commits into from
Feb 22, 2018

Conversation

davidfischer
Copy link
Contributor

Fixes #3637

humitos
humitos approved these changes Feb 20, 2018
View reviewed changes
Copy link
Member

@humitos humitos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it!

Just left a question to understand how the well-known URI is used (not a blocker)

readthedocs/urls.py
@@ -34,6 +34,8 @@
url(r'^$', HomepageView.as_view(), name='homepage'),
url(r'^support/', SupportView.as_view(), name='support'),
url(r'^security/', TemplateView.as_view(template_name='security.html')),
url(r'^.well-known/security.txt',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? Who uses it? How?

(I read the RFC at https://tools.ietf.org/html/rfc5785 but I don't understand the use case)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should have put more details. A security.txt file is not yet a standard but may be. It has been submitted to become an RFC. The goal of it is that it is a standard place where a security researcher can find the right place to disclose an issue.

https://securitytxt.org/

ericholscher
ericholscher approved these changes Feb 21, 2018
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 -- only bit is we need to make sure we can actually read the email from the PGP key :)

docs/security.rst Outdated

You may use this `PGP key`_ to securely communicate with us and to verify signed messages you receive from us.

.. _PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71337C3047A1B066
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is my PGP key, and I'm not confident I still have access to it. Perhaps we should generate a new one via keybase or something, perhaps that we can share with the team?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, if you don't have access to it that is definitely a problem. I'll create a new one and share the key.

docs/security.rst
Security issue archive
~~~~~~~~~~~~~~~~~~~~~~

It's only a matter of time...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep :/

@davidfischer
Copy link
Contributor Author

The security@ email is now live

humitos
humitos reviewed Feb 21, 2018
View reviewed changes
readthedocs/templates/security.txt
@@ -0,0 +1 @@
Policy: https://docs.readthedocs.io/en/latest/security.html
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the official page, https://securitytxt.org/ I found that there are more fields we can add here:

Contact:
Encryption: 
Acknowledgements: 
Policy: 
Signature: 
Hiring:

Contact, Ecryptation and Signature are good candidates I think.

@RichardLitt RichardLitt added the PR: work in progress Pull request is not ready for full review label Feb 21, 2018
@davidfischer
Copy link
Contributor Author

I have generated the new GPG key and I'll push an update here once it has been received by the key servers.

@davidfischer davidfischer added PR: ready for review and removed PR: work in progress Pull request is not ready for full review labels Feb 21, 2018
@davidfischer
Copy link
Contributor Author

The key has been updated and this is ready to go.

@ericholscher ericholscher merged commit 6317e06 into readthedocs:master Feb 22, 2018
@ericholscher
Copy link
Member

🎆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@humitos humitos humitos approved these changes

@ericholscher ericholscher ericholscher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davidfischer @ericholscher @humitos @RichardLitt