Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide https://qubes-os.org/.well-known/security.txt #7022

Open
DemiMarie opened this issue Oct 27, 2021 · 7 comments
Open

Provide https://qubes-os.org/.well-known/security.txt #7022

DemiMarie opened this issue Oct 27, 2021 · 7 comments
Labels
C: website P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@DemiMarie
Copy link

How to file a helpful issue

The problem you're addressing (if any)

Qubes OS doesn’t support the [security.txt] standard for machine-parsable vulnerability reporting information.

The solution you'd like

Support the standard 🙂

The value to a user, and who that user might be

Not sure tbh.
@DemiMarie DemiMarie added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Oct 27, 2021
@andrewdavidwong andrewdavidwong added C: website security This issue pertains to the security of Qubes OS. labels Oct 29, 2021
@andrewdavidwong andrewdavidwong added this to the Non-release milestone Oct 29, 2021
@andrewdavidwong
Copy link
Member

andrewdavidwong commented Oct 29, 2021
edited
Loading

What should the content of this file consist of? How common is this? Do other projects do it?

@unman
Copy link
Member

unman commented Oct 29, 2021 via email

@andrewdavidwong
Copy link
Member

https://securitytxt.org/
It's becoming more common although still not (imo) widely adopted.

Thanks. I generated one:

Contact: https://www.qubes-os.org/security/
Expires: 2025-01-01T08:00:00.000Z
Encryption: https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc
Canonical: https://qubes-os.org/.well-known/security.txt
Policy: https://www.qubes-os.org/security/

(Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.)

@DemiMarie, is this what you had in mind?

@DemiMarie
Copy link
Author

@andrewdavidwong For contact I would use mailto:[email protected] unless there is some reason not to.

@SaswatPadhi
Copy link

@andrewdavidwong:

Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.

If you place .well-known at the root of repo and add:

include:
  - .well-known

to the _config.yml file, then Jekyll will include this directory at the root of the output directory and the permalink /.well-known/ should work.

@andrewdavidwong
Copy link
Member

@andrewdavidwong For contact I would use mailto:[email protected] unless there is some reason not to.

I don't want it to get any more spam.

@andrewdavidwong:

Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.

If you place .well-known at the root of repo and add:

include:
  - .well-known

to the _config.yml file, then Jekyll will include this directory at the root of the output directory and the permalink /.well-known/ should work.

Thanks!

@andrewdavidwong andrewdavidwong removed this from the Non-release milestone Aug 13, 2023
parulin added a commit to parulin/qubesos.github.io that referenced this issue Jun 14, 2024
@parulin
Add .well-known/security.txt file
013abca 
Copy-pasting @andrewdavidwong content, and following @SaswatPadhi
instructions, only changing the expiration date (first proposition was
+4 years).

See:

- QubesOS/qubes-issues#7022
- https://forum.qubes-os.org/t/github-issue-7022-provide-https-qubes-os-org-well-known-security-txt/26972
@parulin parulin mentioned this issue Jun 14, 2024
Open
@alimirjamali
Copy link

pr submitted: QubesOS/qubesos.github.io#247
Awaits review

@parulin for the next time, add one of the keywords mentioned here to commit message to link it to issue. Thanks.

@andrewdavidwong andrewdavidwong added the pr submitted A pull request has been submitted for this issue. label Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: website P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@SaswatPadhi @alimirjamali @DemiMarie @andrewdavidwong @unman