Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 688380

Summary: Add .well-known/security.txt as suggested in RFC 9116
Product: Gentoo Infrastructure Reporter: Jonas Stein <jstein>
Component: Web Node IssuesAssignee: Gentoo Website Team <www>
Status: CONFIRMED ---    
Severity: normal CC: ajak, jstein, mgorny, security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://tools.ietf.org/html/draft-foudil-securitytxt-06
Whiteboard:
Package list:
Runtime testing required: ---

Description Jonas Stein gentoo-dev 2019-06-20 11:09:16 UTC 
I suggest to provide a security.txt
as described in
https://tools.ietf.org/html/rfc8615

on
https://gentoo.org/.well-known/security.txt
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-06-20 11:22:07 UTC 
My grep-foo must be weak today, as I don't see a single reference to 'security.txt' there.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2019-06-20 11:49:33 UTC 
(In reply to Michał Górny from comment #1)
> My grep-foo must be weak today, as I don't see a single reference to
> 'security.txt' there.

Nor do I see it on https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml as well.
Comment 3 Jonas Stein gentoo-dev 2019-06-20 12:16:39 UTC 
my mistake. Sorry. 
The security.txt is still in draft
https://datatracker.ietf.org/doc/draft-foudil-securitytxt/
and relies on RFC 8615

But it is already used by many pages. 
Example:
https://www.google.com/.well-known/security.txt
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-16 03:11:16 UTC 
So, how about simply using the security contacts page that already exists? For example:

Contact: https://www.gentoo.org/support/security
Comment 5 Jonas Stein gentoo-dev 2024-04-22 00:27:22 UTC 
5 years later...
The spec is final now
https://www.rfc-editor.org/rfc/rfc9116

other distributions use it
https://www.kali.org/.well-known/security.txt
https://www.suse.com/.well-known/security.txt

there is a generator on 
https://securitytxt.org/

We had a discussion about migrating GLSA to CSAF. 
When migrated, we can add a link to the database in the security.txt.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-04-22 17:20:46 UTC 
How about something like:

Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security
Expires: 2025-01-01T00:00:00.000Z


Note that I've made the bugs access-restricted by default there.
Comment 7 Jonas Stein gentoo-dev 2024-04-22 20:58:54 UTC 
sounds good for a start. Thanks.
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-04-23 04:49:11 UTC 
@security, your opinion?
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-04-23 05:52:16 UTC 
No strong opinion about the exact contact URL.
Comment 10 Hans de Graaff gentoo-dev Security 2024-04-23 15:30:45 UTC 
I would prefer to have a version with an expiration date but that also requires a process to update it on a regular basis, and I'm not sure we are good at keeping up with that.

I would also prefer to have it signed but I'm not sure if we have a security@gentoo.org GPG key? If we have one that should also be added.

My preferred content would be:

Contact: mailto:security@gentoo.org
Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security
Expires: 2024-12-31T23:00:00.000Z
Preferred-Languages: en
Canonical: https://www.gentoo.org/.well-known/security.txt
Policy: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

Once this is in place we can also add a redirect on all other gentoo sites (like e.g. packages.gentoo.org where /.well-known/security.txt redirects to https://www.gentoo.org/.well-known/security.txt
Comment 11 Jonas Stein gentoo-dev 2024-05-01 11:35:56 UTC 
looks good. You can update the file any time if there are improvements.