Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Security

X-seq: zsh-workers 47767
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Jérémie Roquet <jroquet@xxxxxxxxxxxxx>
Subject: Re: Security
Date: Mon, 28 Dec 2020 10:46:12 +0000
Archived-at: <https://zsh.org/workers/47767>
Archived-at: <http://www.zsh.org/sympa/arcsearch_id/zsh-workers/2020-12/20201228104612.GC10030%40tarpaulin.shahaf.local2>
Authentication-results: zsh.org; iprev=pass (out2-smtp.messagingengine.com) smtp.remote-ip=66.111.4.26; dkim=pass header.d=daniel.shahaf.name header.s=fm2 header.a=rsa-sha256; dkim=pass header.d=messagingengine.com header.s=fm1 header.a=rsa-sha256; dmarc=none header.from=daniel.shahaf.name; arc=none
Cc: Zsh Hackers' List <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= daniel.shahaf.name; h=date:from:to:cc:subject:message-id :references:mime-version:content-type:content-transfer-encoding :in-reply-to; s=fm2; bh=ZGWlxCidXoVOmwc0TYoAoJ38fzzSFO6AviEC8nzA bD0=; b=S2uHw8Gw5CFl1rP1UjSdKz9VU1zhDpmfkuLjcIRJXXa+EwfIy85FrsOg oXwHtdoJR6fSOWVkdxutPJaTWor840OLrvk8cJvCK1tybuKmGut1zgtCV8+Fekr7 ppNkx6vS3R+B9AJE5YcBSWs4ljPukqkALm3aGgKbpImiScxey+oQbB8PR005Jzkf PZdG9V7jARmacrAcK87j99hIOsG3kX3amm9LiB6uu+g6BN5vbxnCpeREqIC62Pft JGxONcwwef4tEec215nsJftx3ABNqVlHTqZXIgnIxVK/k7L1eSuGAOvXlCJc2izA qycnDrf2Jw37jnEp0PnbcwHgDkq9MA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ZGWlxCidXoVOmwc0TYoAoJ38fzzSFO6AviEC8nzAb D0=; b=dIfUIWhNMuLNIdu9bmpc88NZ1T3cSDF/9IxY3nnACckgUu3tV7yEqsIJi GM4T4wRJzj715IcW1BZ1MW6yBTvS90+WurMrxQdWLomWUgYEnEPd9q16DIC5f0DZ j+H6Le8rYABySKfkdR/iEMJ3K6YTl6nM7tT6nQdFo8Kh+YVi1tWTXhFDaKr+4A+T 0H13l8Qj1zBKGSWSZHKBz609R+OCukqT9ElIQL7UyE/CC4RK+o4XYc8o/YPysj0A PbGQe4nb7rD65OO2HouPnDyJcpYGRNd4pxm4bn+vKIurKFP81tAbviPPom/XtUms 7Wi4g0zseKvSQW4XHFOdqCZMLlyKw==
In-reply-to: <CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD=iBXxmhg@mail.gmail.com>
List-archive: <http://www.zsh.org/sympa/arc/zsh-workers>
List-help: <mailto:sympa@zsh.org?subject=help>
List-id: <zsh-workers.zsh.org>
List-owner: <mailto:zsh-workers-request@zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-workers>
List-unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-workers>
References: <paAbf-KNB0KbNKpcW3QUwRieHYlcjHX1JUBuWrVKyRFxy3huAGdvLPpI3AarFSLDymL3AP4TfrD_Pusx13LQUUoAxYUBOWasBoMDvSPvppk=@protonmail.com> <CAFOazAPaNLP6Yg6krO7mtcSrgoj=+rmg-=Awc-ju8rBfqKykUQ@mail.gmail.com> <9ukE0EnlTIntEcJ7b7nLSoq5E3XfeB-HtfyHk1Vmzoh_NojpSpL_amjhCixUBdb164pmStO4by1oduUBR0zCJpK0xGzrh2uz42flRXt96-8=@protonmail.com> <X+N714veDei3MIVm@andrew.cmu.edu> <Uzy4-LW1s3eKrllB-zw35G-ORZsJNQl6uPzDhishTuzE-QC_Hir0nOOi00r5bRdlm-N9GbNJL9gGifBuXxQt8QKlz7yATk4Ah4bxVqOjQKM=@protonmail.com> <a5f44f89-bec5-487d-aee3-8c4eb4f521fa@www.fastmail.com> <X+kBRpTydSUosZNw@fullerene.field.pennock-tech.net> <CAFOazAOFxerpsmFB6QKMa1krjDu9Ke3G+Z4vYrz=sHY9bpYHBQ@mail.gmail.com> <X+kasJvMFivCnBmR@fullerene.field.pennock-tech.net> <CAFOazAOv5MpK4oCtE2KONwUhand6D3Nj7i9z-SWkyD=iBXxmhg@mail.gmail.com>
Sender: zsh-workers-request@xxxxxxx

Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> Le lun. 28 déc. 2020 à 00:37, Phil Pennock
> <zsh-workers+phil.pennock@xxxxxxxxxxxx> a écrit :
> >
> > On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > > Daniel, Phil, would it be possible to advertise for this new list on
> > > the mailing lists page?
> > >
> > >   http://zsh.sourceforge.net/Arc/mlist.html
> >
> > Theoretically done.  I don't know how much caching there is inside
> > SourceForge, but the git repo has been updated and the website content
> > has been rsync'd.
> 
> That's visible for me now. Thank you!
> 
> > > … and maybe set up a security.txt as well?
> > >
> > >   https://securitytxt.org/
> > >
> > > That's not yet a widely recognized standard, but I believe someone
> > > unfamiliar with a project yet familiar with security would start by
> > > looking there if there's is a contact address.
> >
> > This one is not my call to make.  I like the general idea and use it for
> > my own site (which ~nobody cares about) but I'm not going to deploy
> > without other folks mulling it over first.
> 
> That's fair. So, for anyone wondering what this security.txt thing is
> about: it's a single file made available at
> $DOMAIN/.well-known/security.txt, in which some predefined fields can
> / should be filled in, such as an email address to use to report
> security issues. This mostly used to report issues on websites rather
> than in software, but I believe it's a place where people into
> security will look at anyway if they are trying to find a contact
> address (possibly before looking at the website itself). The
> specification is intended to become a standard

Are you sure about this?  The Internet Draft's "Intended status" is
"Informational", as opposed to "Standards track".

> but isn't yet; its ability to become one is also driven by its adoption, of
> course (the usual chicken-and-egg problem).

Cheers,

Daniel

Follow-Ups:
- Re: Security
  - From: Jérémie Roquet

References:
- Security
  - From: reportyigit46
- Re: Security
  - From: Jérémie Roquet
- Re: Security
  - From: reportyigit46
- Re: Security
  - From: gi1242+zsh
- Re: Security
  - From: reportyigit46
- Re: Security
  - From: Daniel Shahaf
- Re: Security
  - From: Phil Pennock
- Re: Security
  - From: Jérémie Roquet
- Re: Security
  - From: Phil Pennock
- Re: Security
  - From: Jérémie Roquet

Messages sorted by: Reverse Date, Date, Thread, Author