Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security.txt file #5359

Merged
merged 7 commits into from
Jan 2, 2025
Merged

Add security.txt file #5359

merged 7 commits into from
Jan 2, 2025

Conversation

daniel-beck
Copy link
Contributor

@daniel-beck daniel-beck commented Aug 10, 2022
edited
Loading

See https://securitytxt.org/

The expiration date is mandatory and a bit annoying. Options:

  • Currently implemented: Yearly expiration date we need to keep updating.
  • Date far in the future so we don't need to care at the risk of keeping obsolete data "in caches"
  • Automatically generate this field on site generation to be a few months into the future. Might be annoying given the workaround we're already applying to make .well-known/ work.

Thoughts?

@daniel-beck daniel-beck requested a review from Wadeck August 10, 2022 08:49
@dduportal
Copy link
Contributor

Make a lot of sense, thanks Daniel!

I got 2 questions (non blocking):

  • About the date renewal, WDYT about a process that would open a PR with a new date once or twice a year (or more frequently?). That would act as an automatic and no-brainer reminder to ask ourselves "are these informations still up to date" ?
  • Do you feel we should apply the same security.txt to other websites (such as updates.jenkins.io, get.jenkins.io, etc.)?

@MarkEWaite
Copy link
Contributor

I like it. I don't mind updating the expiration date once a year with a pull request created by a human being. It shows that someone considered if the referenced pages are current and complete.

What if we extended the Jenkinsfile with a script that marks the build unstable when we are within a month of expiration? It currently checks for typos as one of the stages on ci.jenkins.io.

@dduportal
Copy link
Contributor

with a pull request created by a human being

I though an automated PR (e.g. with updatecli or renovabot or even cron trigger) which does all the trick (to ensure that the date format is kept: I do not trust humans for date formats), but requires a human approval.

@daniel-beck daniel-beck marked this pull request as ready for review January 2, 2025 18:39
@daniel-beck daniel-beck requested a review from a team as a code owner January 2, 2025 18:39
@daniel-beck
Copy link
Contributor Author

Just as a precaution, I have an updatecli manifest designed to keep the expiration date current. As we approach the final month before expiration, it will automatically create a PR to extend the date by one year into the future.

Nice, thanks. That seems consistent with recent practices elsewhere in this repo, so I've given up my attempts at dynamically generating this page. So I've moved this out of draft.

MarkEWaite
MarkEWaite approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@MarkEWaite MarkEWaite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@MarkEWaite MarkEWaite enabled auto-merge (squash) January 2, 2025 18:44
@MarkEWaite MarkEWaite merged commit 421d001 into jenkins-infra:master Jan 2, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StackScribe StackScribe StackScribe left review comments

@Wadeck Wadeck Wadeck approved these changes

@MarkEWaite MarkEWaite MarkEWaite approved these changes

@gounthar gounthar gounthar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@daniel-beck @dduportal @MarkEWaite @StackScribe @gounthar @Wadeck