[specification] Interesting new movement to include "security.txt" files in projects
|
Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.
From:
specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...> [External] |
|
|
|
My 2c's Honestly think that we are starting to overpopulate root project dirs. Not only LICENSE anymore, it goes for a number of files and this needs to have more control that what is today. Just for a few examples: CODE_OF_CONDUCT LICENSE README.(md,txt) contributing.md ... The list is already crowded and does not have a single common pattern. ( Note that i'm not even dealing with the fact that we have plenty of other files dev related, like linters, etc.. with their own config ) So, saying that, I'm really not against this new file as information is relevant, but we need to push as formal subfolder or similar idea to aggregate all this info. i.e, github put the things under .github, etc.. Having only README on top folder and something called as let's say as example, .project where we keep all this files, even more if some organization or company need to add specifics. Then my point is thumbs up for the idea, better start to think on how not to make project codes visually crowded. []'s On Tue, Mar 21, 2023 at 12:18 PM Steve Kilbane <stephen.kilbane@...> wrote:
|
|
|
|
Mike Linksvayer
Yes securitytext.org is for web sites/services, for example https://github.com/.well-known/security.txt SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md https://github.com/github/.github/blob/main/SECURITY.md Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important. Mike On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote:
|
|
|