688380 – Add .well-known/security.txt as suggested in RFC 9116

Bug 688380 - Add .well-known/security.txt as suggested in RFC 9116

Summary: Add .well-known/security.txt as suggested in RFC 9116

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Web Node Issues (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Website Team

URL:	https://tools.ietf.org/html/draft-fou...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-20 11:09 UTC by Jonas Stein
Modified:	2024-05-01 11:35 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonas Stein gentoo-dev

2019-06-20 11:09:16 UTC

I suggest to provide a security.txt
as described in
https://tools.ietf.org/html/rfc8615

on
https://gentoo.org/.well-known/security.txt

Comment 1 Michał Górny archtester

2019-06-20 11:22:07 UTC

My grep-foo must be weak today, as I don't see a single reference to 'security.txt' there.

Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2019-06-20 11:49:33 UTC

(In reply to Michał Górny from comment #1)
> My grep-foo must be weak today, as I don't see a single reference to
> 'security.txt' there.

Nor do I see it on https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml as well.

Comment 3 Jonas Stein gentoo-dev

2019-06-20 12:16:39 UTC

my mistake. Sorry. 
The security.txt is still in draft
https://datatracker.ietf.org/doc/draft-foudil-securitytxt/
and relies on RFC 8615

But it is already used by many pages. 
Example:
https://www.google.com/.well-known/security.txt

Comment 4 John Helmert III archtester

2022-06-16 03:11:16 UTC

So, how about simply using the security contacts page that already exists? For example:

Contact: https://www.gentoo.org/support/security

Comment 5 Jonas Stein gentoo-dev

2024-04-22 00:27:22 UTC

5 years later...
The spec is final now
https://www.rfc-editor.org/rfc/rfc9116

other distributions use it
https://www.kali.org/.well-known/security.txt
https://www.suse.com/.well-known/security.txt

there is a generator on 
https://securitytxt.org/

We had a discussion about migrating GLSA to CSAF. 
When migrated, we can add a link to the database in the security.txt.

Comment 6 Michał Górny archtester

2024-04-22 17:20:46 UTC

How about something like:

Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security
Expires: 2025-01-01T00:00:00.000Z


Note that I've made the bugs access-restricted by default there.

Comment 7 Jonas Stein gentoo-dev

2024-04-22 20:58:54 UTC

sounds good for a start. Thanks.

Comment 8 Michał Górny archtester

2024-04-23 04:49:11 UTC

@security, your opinion?

Comment 9 John Helmert III archtester

2024-04-23 05:52:16 UTC

No strong opinion about the exact contact URL.

Comment 10 Hans de Graaff gentoo-dev

2024-04-23 15:30:45 UTC

I would prefer to have a version with an expiration date but that also requires a process to update it on a regular basis, and I'm not sure we are good at keeping up with that.

I would also prefer to have it signed but I'm not sure if we have a security@gentoo.org GPG key? If we have one that should also be added.

My preferred content would be:

Contact: mailto:security@gentoo.org
Contact: https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&groups=Security
Expires: 2024-12-31T23:00:00.000Z
Preferred-Languages: en
Canonical: https://www.gentoo.org/.well-known/security.txt
Policy: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

Once this is in place we can also add a redirect on all other gentoo sites (like e.g. packages.gentoo.org where /.well-known/security.txt redirects to https://www.gentoo.org/.well-known/security.txt

Comment 11 Jonas Stein gentoo-dev

2024-05-01 11:35:56 UTC

looks good. You can update the file any time if there are improvements.