2020-08-22 16:40 UTC+02:00, Gary Gregory <[email protected]>: > Two items: (1) security is different
from what? > because, well, it seems obvious to me > that anything security related should be as accessible as possible as > opposed to going through an extra hoop YMMV, but IMHO the (unique) "source of truth" is on the ASF web site(s): https://apache.org https://commons.apache.org This https://github.com/apache/commons-io/security/policy obviously (?) looks less authoritative. and... makes for an "extra hoop". > and (2) making/keeping our GitHub > presence a first class citizen in how we put a face on the project. How does duplicate information improves anything (marketing or otherwise)? Ultimately, reports still have to be posted to an ASF-hosted ML, and not on GH. Gilles > > Gary > > On Sat, Aug 22, 2020, 10:15 Gilles Sadowski <[email protected]> wrote: > >> Hi. >> >> 2020-08-22 15:26 UTC+02:00, Gary Gregory <[email protected]>: >> > Hi All, >> > >> > You may have noticed (or nor) that GitHub has a Security [1] tab for >> > our >> > repositories. On this tab, you can define a Security Policy.[2] in a >> > SECURITY.md (just like we have a README.md). >> > >> > I would like to fill this in with the same text we now have here: >> > https://commons.apache.org/security.html >> > >> > Each repository should end up with a SECURITY.md which in theory should >> be >> > the same. >> >> As in code, I'd prefer to avoid such duplicated files; currently, >> as you point out above, this is managed via our common web >> site. >> I'm pretty sure the duplication will proceed; so at least, the >> contents of this file should just be a terse: >> ---CUT--- >> To report a security problem, please read the >> [Apache Commons project's security >> page](https://commons.apache.org/security.html). >> ---CUT--- >> >> Regards, >> Gilles >> >> > >> > Gary >> > >> > [1] https://github.com/apache/commons-compress/security >> > [2] >> > >> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
