32
41
Fork
You've already forked website
54

security.txt #14

Closed
opened 2022年11月11日 23:26:32 +01:00 by Gusted · 13 comments

Have a security.txt file hosted on the site.

Have [a security.txt](https://securitytxt.org/) file hosted on the site.
Owner
Copy link

I actually considered to propose this for inclusion in the software itself, so that bugs for any instance can be sent to the codename team (and potentially including the admin email, too, if they opted in)

I actually considered to propose this for inclusion in the software itself, so that bugs for any instance can be sent to the codename team (and potentially including the admin email, too, if they opted in)
Member
Copy link

That sounds like a great idea, @fnetX

That sounds like a great idea, @fnetX
Contributor
Copy link
Related to https://codeberg.org/codename/codename/issues/9#issuecomment-684358
Member
Copy link

Depends on forgejo/meta#37 for the OpenPGP key.
The public key needs to be uploaded somewhere (on our domain would be best, keys.openpgp.org would also do) and the private key should be used to sign the security.txt file.

Depends on forgejo/meta#37 for the OpenPGP key. The public key needs to be uploaded somewhere (on our domain would be best, keys.openpgp.org would also do) and the private key should be used to sign the security.txt file.
Author
Owner
Copy link

Key is uploaded to keys.openpgp.org, I would also prefer if it was available under the forgejo domain.

Key is uploaded to keys.openpgp.org, I would also prefer if it was available under the forgejo domain.
Member
Copy link

I think the following would be an acceptable security.txt file, what do you think @Gusted? It will need signing with the GPG private key.

Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
I think the following would be an acceptable `security.txt` file, what do you think @Gusted? It will need signing with the GPG private key. ``` Contact: mailto:security@forgejo.com Expires: 2023年12月31日T23:59:59.000Z Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F Preferred-Languages: en Canonical: https://forgejo.org/.well-known/security.txt ```
Author
Owner
Copy link

Good by me.

Good by me.
Contributor
Copy link

Who's moving this forward?

Who's moving this forward?
Member
Copy link

The text provided above needs to be signed using the security team's GPG key, which I believe only @Gusted and @dachary currently have access to.

The text provided above needs to be signed using the security team's GPG key, which I believe only @Gusted and @dachary currently have access to.

Here it is.

$ gpg --armor --default-key 1B638BDF10969D627926B8D9F585D0F99E1FB56F --clearsign <<'EOF'
Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
EOF
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Contact: mailto:security@forgejo.com
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQbY4vfEJadYnkmuNn1hdD5nh+1bwUCY3x77wAKCRD1hdD5nh+1
b5nOAP9C1E3UOvyybjeXj5RbhmS9o6oSzKnEGlVDIz+3LZrQNwEAx6/vjUU0vsDQ
SM9TY2xwEM0bsLpuK4HG/cVKQ0YrPw8=
=mHwV
-----END PGP SIGNATURE-----
Here it is. ``` $ gpg --armor --default-key 1B638BDF10969D627926B8D9F585D0F99E1FB56F --clearsign <<'EOF' Contact: mailto:security@forgejo.com Expires: 2023年12月31日T23:59:59.000Z Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F Preferred-Languages: en Canonical: https://forgejo.org/.well-known/security.txt EOF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Contact: mailto:security@forgejo.com Expires: 2023年12月31日T23:59:59.000Z Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F Preferred-Languages: en Canonical: https://forgejo.org/.well-known/security.txt -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQbY4vfEJadYnkmuNn1hdD5nh+1bwUCY3x77wAKCRD1hdD5nh+1 b5nOAP9C1E3UOvyybjeXj5RbhmS9o6oSzKnEGlVDIz+3LZrQNwEAx6/vjUU0vsDQ SM9TY2xwEM0bsLpuK4HG/cVKQ0YrPw8= =mHwV -----END PGP SIGNATURE----- ```
caesar referenced this issue from a commit 2022年11月22日 10:03:36 +01:00
Member
Copy link

Thanks @dachary.
I've added this to the website in c6c9d405db.

You can see it at https://forgejo.codeberg.page/.well-known/security.txt

Thanks @dachary. I've added this to the website in https://codeberg.org/forgejo/website/commit/c6c9d405db8953fc957fba89feb6a163dd331e10. You can see it at https://forgejo.codeberg.page/.well-known/security.txt

@dachary why does the security email uses the domain forgejo.com ? (and not .org)

@dachary why does the security email uses the domain forgejo.com ? (and not .org)
Member
Copy link

Oops, that was my mistake, sorry. Not sure how I did that...

@dachary (or someone with the security team GPG key), could you re-sign the following corrected message please?

Contact: mailto:security@forgejo.org
Expires: 2023年12月31日T23:59:59.000Z
Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
Preferred-Languages: en
Canonical: https://forgejo.org/.well-known/security.txt
Oops, that was my mistake, sorry. Not sure how I did that... @dachary (or someone with the security team GPG key), could you re-sign the following corrected message please? ``` Contact: mailto:security@forgejo.org Expires: 2023年12月31日T23:59:59.000Z Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F Preferred-Languages: en Canonical: https://forgejo.org/.well-known/security.txt ```
Sign in to join this conversation.
No Branch/Tag specified
main
monthly-2026-05
mahlzahn-eslint-js
preview-link-status
nightfire
2022年12月14日-main
No results found.
Labels
Clear labels
404
Broken links or missing content
Accessibility
Accessibility
Blog post
Documentation
Forgejo Documentation
Internationalisation
i18n and l10n
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
6 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/website#14
Reference in a new issue
forgejo/website
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?