1. Main
  2. Topics

[specification] Interesting new movement to include "security.txt" files in projects

Steve Kilbane
 

Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.

 

From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Tuesday, 21 March 2023 at 09:02
To: OpenChain Main <main@...>, OpenChain Specification <specification@...>
Subject: [specification] Interesting new movement to include "security.txt" files in projects

[External]

Jeff flagged this on our monthly call (2023-03-21)
https://urldefense.com/v3/__https://securitytxt.org/__;!!A3Ni8CS0y2Y!4oNmnVaJi1ThUDrgRh9uv_JNA453-F3t53lxrZas_EttVsn4Meu5Sekc11vsYinHcOzc-V7xZlKX5iXMiun22KfB2WF-Mz4$

It is like LICENSE files but for security.

What do you think? Have you heard about this? Useful in your workflow?




Helio Chissini de Castro
 

My 2c's

Honestly think that we are starting to overpopulate root project dirs. 
Not only LICENSE anymore, it goes for a number of files and this needs to have more control that what is today.
 
Just for a few examples:
CODE_OF_CONDUCT
LICENSE
README.(md,txt)
contributing.md
...

The list is already crowded and does not have a single common pattern. ( Note that i'm not even dealing with the fact that we have plenty of other files dev related, like linters, etc.. with their own config )

So, saying that, I'm really not against this new file as information is relevant, but we need to push as formal subfolder or similar idea to aggregate all this info. i.e, github put the things under .github, etc..

Having only README on top folder and something called as let's say as example, .project where we keep all this files, even more if some organization or company need to add specifics. 

Then my point is thumbs up for the idea, better start to think on how not to make project codes visually crowded.

[]'s 


On Tue, Mar 21, 2023 at 12:18 PM Steve Kilbane <stephen.kilbane@...> wrote:

Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.

 

From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Tuesday, 21 March 2023 at 09:02
To: OpenChain Main <main@...>, OpenChain Specification <specification@...>
Subject: [specification] Interesting new movement to include "security.txt" files in projects

[External]

Jeff flagged this on our monthly call (2023-03-21)
https://urldefense.com/v3/__https://securitytxt.org/__;!!A3Ni8CS0y2Y!4oNmnVaJi1ThUDrgRh9uv_JNA453-F3t53lxrZas_EttVsn4Meu5Sekc11vsYinHcOzc-V7xZlKX5iXMiun22KfB2WF-Mz4$

It is like LICENSE files but for security.

What do you think? Have you heard about this? Useful in your workflow?




Mike Linksvayer
 

Yes securitytext.org is for web sites/services, for example https://github.com/.well-known/security.txt

SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md https://github.com/github/.github/blob/main/SECURITY.md

Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important.

Mike

On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote:

Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.

 

From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Tuesday, 21 March 2023 at 09:02
To: OpenChain Main <main@...>, OpenChain Specification <specification@...>
Subject: [specification] Interesting new movement to include "security.txt" files in projects

[External]

Jeff flagged this on our monthly call (2023-03-21)
https://urldefense.com/v3/__https://securitytxt.org/__;!!A3Ni8CS0y2Y!4oNmnVaJi1ThUDrgRh9uv_JNA453-F3t53lxrZas_EttVsn4Meu5Sekc11vsYinHcOzc-V7xZlKX5iXMiun22KfB2WF-Mz4$

It is like LICENSE files but for security.

What do you think? Have you heard about this? Useful in your workflow?




1 - 3 of 3