I suggest to provide a security.txt as described in https://tools.ietf.org/html/rfc8615 on https://gentoo.org/.well-known/security.txt
My grep-foo must be weak today, as I don't see a single reference to 'security.txt' there.
(In reply to Michał Górny from comment #1) > My grep-foo must be weak today, as I don't see a single reference to > 'security.txt' there. Nor do I see it on https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml as well.
my mistake. Sorry. The security.txt is still in draft https://datatracker.ietf.org/doc/draft-foudil-securitytxt/ and relies on RFC 8615 But it is already used by many pages. Example: https://www.google.com/.well-known/security.txt
So, how about simply using the security contacts page that already exists? For example: Contact: https://www.gentoo.org/support/security
5 years later... The spec is final now https://www.rfc-editor.org/rfc/rfc9116 other distributions use it https://www.kali.org/.well-known/security.txt https://www.suse.com/.well-known/security.txt there is a generator on https://securitytxt.org/ We had a discussion about migrating GLSA to CSAF. When migrated, we can add a link to the database in the security.txt.
How about something like: Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security Expires: 2025-01-01T00:00:00.000Z Note that I've made the bugs access-restricted by default there.
sounds good for a start. Thanks.
@security, your opinion?
No strong opinion about the exact contact URL.
I would prefer to have a version with an expiration date but that also requires a process to update it on a regular basis, and I'm not sure we are good at keeping up with that. I would also prefer to have it signed but I'm not sure if we have a security@gentoo.org GPG key? If we have one that should also be added. My preferred content would be: Contact: mailto:security@gentoo.org Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security Expires: 2024-12-31T23:00:00.000Z Preferred-Languages: en Canonical: https://www.gentoo.org/.well-known/security.txt Policy: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html Once this is in place we can also add a redirect on all other gentoo sites (like e.g. packages.gentoo.org where /.well-known/security.txt redirects to https://www.gentoo.org/.well-known/security.txt
looks good. You can update the file any time if there are improvements.