Have a security.txt file hosted on the site.
I actually considered to propose this for inclusion in the software itself, so that bugs for any instance can be sent to the codename team (and potentially including the admin email, too, if they opted in)
That sounds like a great idea, @fnetX
Related to codename/codename#9 (comment)
Depends on forgejo/meta#37 for the OpenPGP key.
The public key needs to be uploaded somewhere (on our domain would be best, keys.openpgp.org would also do) and the private key should be used to sign the security.txt file.
Key is uploaded to keys.openpgp.org, I would also prefer if it was available under the forgejo domain.
I think the following would be an acceptable security.txt file, what do you think @Gusted? It will need signing with the GPG private key.
Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
Good by me.
Who's moving this forward?
The text provided above needs to be signed using the security team's GPG key, which I believe only @Gusted and @dachary currently have access to.
Here it is.
$ gpg --armor --default-key 1B638BDF10969D627926B8D9F585D0F99E1FB56F --clearsign <<'EOF'
Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
EOF
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQbY4vfEJadYnkmuNn1hdD5nh+1bwUCY3x77wAKCRD1hdD5nh+1
b5nOAP9C1E3UOvyybjeXj5RbhmS9o6oSzKnEGlVDIz+3LZrQNwEAx6/vjUU0vsDQ
SM9TY2xwEM0bsLpuK4HG/cVKQ0YrPw8=
=mHwV
-----END PGP SIGNATURE-----
Thanks @dachary.
I've added this to the website in c6c9d405db.
You can see it at https://forgejo.codeberg.page/.well-known/security.txt
@dachary why does the security email uses the domain forgejo.com ? (and not .org)
Oops, that was my mistake, sorry. Not sure how I did that...
@dachary (or someone with the security team GPG key), could you re-sign the following corrected message please?
Contact: mailto:security@forgejo.org
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?