dev

Messages by Date

2026/04/02 [I] Consider moving the PubSub code to ASFQuart (tooling-trusted-releases) via GitHub
2026/04/02 Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
2026/04/02 Re: [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
2026/04/02 Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
2026/04/01 [I] No Session Termination After SSH Key Changes (tooling-trusted-releases) via GitHub
2026/04/01 [I] Form Validation Error Messages Rendered as Unescaped HTML (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
2026/04/01 [I] Disallowed File Detection Occurs After Storage, Not At Upload Time (tooling-trusted-releases) via GitHub
2026/04/01 [I] No Evidence of postMessage Origin Validation in Application (tooling-trusted-releases) via GitHub
2026/04/01 [I] API Distribution Models Missing Platform/Owner-Namespace Validation (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Update Pygments when a fix for CVE-2026-4539 is available (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Update Pygments when a fix for CVE-2026-4539 is available (tooling-trusted-releases) via GitHub
2026/04/01 [I] Project Creation Race Condition Between Existence Check and Insert (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
2026/04/01 [I] Web-Issued JWTs Cannot Be Revoked and Survive PAT Deletion (tooling-trusted-releases) via GitHub
2026/04/01 [I] API Blueprint Lacks Explicit CORS Preflight Enforcement for Session-Authenticated Endpoints (tooling-trusted-releases) via GitHub
2026/04/01 [I] Pre-Extraction Safety Checks Do Not Verify Total Uncompressed Size (tooling-trusted-releases) via GitHub
2026/04/01 [I] Admin Blueprint post Decorator Bypasses LDAP Active Account Check (tooling-trusted-releases) via GitHub
2026/04/01 [I] Documentation Does Not Address Adaptive Response Mechanisms (tooling-trusted-releases) via GitHub
2026/04/01 [I] ldap.is_active() Returns True When LDAP Is Unconfigured (Fail-Open) (tooling-trusted-releases) via GitHub
2026/04/01 [I] JWT API Authentication Success Not Logged (tooling-trusted-releases) via GitHub
2026/04/01 [I] SSH Authentication Pathway Lacks Rate Limiting (tooling-trusted-releases) via GitHub
2026/04/01 [I] In-Memory Hash Function Could Process Unbounded Data (tooling-trusted-releases) via GitHub
2026/04/01 [I] SSH Authentication Surface Not Covered in Authentication Security Documentation (tooling-trusted-releases) via GitHub
2026/04/01 [I] No Cleanup or Aggregate Limit for Upload Staging Directories (tooling-trusted-releases) via GitHub
2026/04/01 [I] No Application-Level HTTPS Enforcement for API Endpoints (tooling-trusted-releases) via GitHub
2026/04/01 [I] No File Size Limit on Web Upload Staging Endpoint (tooling-trusted-releases) via GitHub
2026/04/01 [I] Upload Staging Token Lacks Session Management Properties (tooling-trusted-releases) via GitHub
2026/04/01 [I] Form Hidden Field Validated Against Wrong Source (tooling-trusted-releases) via GitHub
2026/04/01 [I] Upload Session Not Validated Against Project/Version Context (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Global Session Validation Hook Checks Age But Not Account Status (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] #776 - implement 50k character limit for vote comment and support passing form errors through a cache in the form module instead of via flash in the session (tooling-trusted-releases) via GitHub
2026/04/01 [PR] Merging 952 and 992 (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] Possible LDAP implementation for review (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
2026/04/01 Re: [I] Trusted Publishing Cross-Field Validation Bypassed Via Web Form (tooling-trusted-releases) via GitHub
2026/04/01 Re: [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
2026/04/01 [PR] Updates to dev/test/production mode detection (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases) via GitHub
2026/03/31 Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/03/31 Re: [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/03/31 [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/03/31 [GH] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
2026/03/31 [PR] Extract some of the validation for TP configuration into a shared helper (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Unsanitized Markdown-to-HTML Conversion Allows Stored XSS in SBOM Vulnerability Descriptions (tooling-trusted-releases) via GitHub
2026/03/31 [PR] Periodic recheck of LDAP status (tooling-trusted-releases) via GitHub
2026/03/31 Re: [PR] Possible LDAP implementation for review (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Vote content fields lack length and content validation (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
2026/03/31 Re: [I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases) via GitHub
2026/03/30 [I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases) via GitHub
2026/03/30 [I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases) via GitHub
2026/03/30 [I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases) via GitHub
2026/03/30 [I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases) via GitHub
2026/03/30 [I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases) via GitHub
2026/03/30 [I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases) via GitHub
2026/03/30 [I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases) via GitHub
2026/03/30 [I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases) via GitHub
2026/03/30 [I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Sequential Template Substitution Allows Variable Injection in Email Templates (tooling-trusted-releases) via GitHub
2026/03/30 [I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases) via GitHub
2026/03/30 [I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases) via GitHub
2026/03/30 [I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases) via GitHub
2026/03/30 [I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases) via GitHub
2026/03/30 [I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases) via GitHub
2026/03/30 [I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases) via GitHub
2026/03/30 [I] Distribution Operations Have No Audit Logging (tooling-trusted-releases) via GitHub
2026/03/30 [I] Git Clone Operations Without Network Timeout (tooling-trusted-releases) via GitHub
2026/03/30 [I] Missing Centralized Documentation of Resource-Intensive Operations (tooling-trusted-releases) via GitHub
2026/03/30 [I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases) via GitHub
2026/03/30 [I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases) via GitHub
2026/03/30 [I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases) via GitHub
2026/03/30 [I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases) via GitHub
2026/03/30 [I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases) via GitHub
2026/03/30 [I] Missing Project-Level Access Control on Multiple GET Endpoints (tooling-trusted-releases) via GitHub
2026/03/30 [I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases) via GitHub
2026/03/30 [I] IDOR in Check Ignore Operations via Numeric ID (tooling-trusted-releases) via GitHub
2026/03/30 [I] IDOR on check_id in Check Result Data Endpoint (tooling-trusted-releases) via GitHub
2026/03/30 [I] OAuth Authentication Does Not Terminate Prior Session Token (tooling-trusted-releases) via GitHub
2026/03/30 [I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases) via GitHub
2026/03/30 [I] SBOM Task Functions Use File Paths Without Containment Validation (tooling-trusted-releases) via GitHub
2026/03/30 [I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases) via GitHub
2026/03/30 [I] Upload Staging Endpoint Ignores Authentication Context (tooling-trusted-releases) via GitHub
2026/03/30 [I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases) via GitHub
2026/03/30 [I] Release Vote Logic Validation Always Passes Due to Catch-All Pattern (tooling-trusted-releases) via GitHub
2026/03/30 [I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases) via GitHub
2026/03/30 [I] Trusted Publishing Cross-Field Validation Bypassed Via Web Form (tooling-trusted-releases) via GitHub
2026/03/30 [I] Unsanitized Markdown-to-HTML Conversion Allows Stored XSS in SBOM Vulnerability Descriptions (tooling-trusted-releases) via GitHub
2026/03/30 [I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases) via GitHub
2026/03/30 [I] OpenPGP Key Management Entirely Lacks Audit Logging (tooling-trusted-releases) via GitHub
2026/03/30 [I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases) via GitHub
2026/03/30 [I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases) via GitHub
2026/03/30 [I] No Global Anti-Caching Middleware (Architectural Gap) (tooling-trusted-releases) via GitHub
2026/03/30 [I] Admin Environment Variable Endpoint Exposes All Secrets Without Redaction (tooling-trusted-releases) via GitHub
2026/03/30 [I] SVN Operations Disable TLS Certificate Verification (Supply Chain Risk) (tooling-trusted-releases) via GitHub
2026/03/30 [I] Key-Committee Association Bypasses Storage Layer Authorization (tooling-trusted-releases) via GitHub
2026/03/30 [I] Global Session Validation Hook Checks Age But Not Account Status (tooling-trusted-releases) via GitHub
2026/03/30 [I] SSH Authentication Completely Bypasses LDAP Account Status Checks (tooling-trusted-releases) via GitHub
2026/03/30 [PR] Bump actions/cache from 5.0.3 to 5.0.4 (tooling-trusted-releases) via GitHub
2026/03/30 [PR] Bump pygments from 2.19.2 to 2.20.0 (tooling-releases-client) via GitHub
2026/03/30 [PR] Bump actions/cache from 4.2.0 to 5.0.4 (tooling-actions) via GitHub
2026/03/30 Re: [PR] Bump actions/cache from 5.0.2 to 5.0.3 (tooling-releases-client) via GitHub
2026/03/30 [PR] Bump actions/cache from 5.0.3 to 5.0.4 (tooling-releases-client) via GitHub
2026/03/30 Re: [PR] Bump actions/cache from 5.0.2 to 5.0.3 (tooling-releases-client) via GitHub
2026/03/30 [PR] Possible LDAP implementation for review (tooling-trusted-releases) via GitHub
2026/03/30 Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Bugs in vote counting algorithm (tooling-trusted-releases) via GitHub
2026/03/30 [I] Starting server with env var for expected secret crashes server (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Committees page allow four up cards (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Committee page seeing keys buttons when not a PMC member (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Expand SBOM support (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Added features to email Message class in `atr/mail.py` (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Add a directory creation hint to the file management interface (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Move file planner UX to compose phase (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Allow private vote threads to be tallied (tooling-trusted-releases) via GitHub
2026/03/30 Re: [I] Anonymous emails come back from lists.a.o (tooling-trusted-releases) via GitHub
2026/03/30 Re: [PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases) via GitHub
2026/03/30 Re: [PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases) via GitHub
2026/03/28 [PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases) via GitHub
2026/03/28 Re: [I] Improve vote counting algorithm (tooling-trusted-releases) via GitHub
2026/03/28 [I] Improve vote counting algorithm (tooling-trusted-releases) via GitHub
2026/03/27 Re: [PR] DRAFT: moving file planner to compose phase (tooling-trusted-releases) via GitHub
2026/03/27 Re: [I] Move file planner UX to compose phase (tooling-trusted-releases) via GitHub
2026/03/27 Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases) via GitHub
2026/03/27 Re: [I] Move file planner UX to compose phase (tooling-trusted-releases) via GitHub
2026/03/26 Re: [I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases) via GitHub
2026/03/26 Re: [I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases) via GitHub
2026/03/26 Re: [PR] Audit docs, code, and reports (tooling-agents) via GitHub
2026/03/26 Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 [PR] DRAFT: #931 - moving file planner to compose phase (tooling-trusted-releases) via GitHub
2026/03/26 Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases) via GitHub
2026/03/26 [GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 [GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 [GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/26 [GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/25 [PR] Audit docs, code, and reports (tooling-agents) via GitHub
2026/03/25 [GH] Invalidate SSH keys (tooling-trusted-releases) via GitHub
2026/03/25 [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Evaluate compliance with ASVS v5.0.0 L1 criteria (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Discuss upstreaming of certain components (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Evaluate compliance with ASVS v5.0.0 L1 criteria (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Discuss upstreaming of certain components (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Remove strict checking (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Remove strict checking (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Use a prefix for all secret tokens, and inform selected third party scanners (tooling-trusted-releases) via GitHub
2026/03/25 [GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Require passing vote and time period before allowing vote completion (tooling-trusted-releases) via GitHub
2026/03/25 [I] Remove stict checking (tooling-trusted-releases) via GitHub
2026/03/25 [PR] #901 - add support for XML in sbom tooling (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Add a cancellation vote resolution option (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Add a cancellation vote resolution option (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Remove (not implement) the "Pause for RM" release policy option (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Remove (not implement) the "Pause for RM" release policy option (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Mailing recipient improvements (tooling-trusted-releases) via GitHub
2026/03/25 Re: [I] Mailing recipient improvements (tooling-trusted-releases) via GitHub
2026/03/25 [I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases) via GitHub
2026/03/25 [I] Update Pygments when a fix for CVE-2026-4539 is available (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Implement server-side session store to enable session revocation (tooling-trusted-releases) via GitHub
2026/03/24 [I] Allow private vote threads to be tallied (tooling-trusted-releases) via GitHub
2026/03/24 [GH] Invalidate SSH keys (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases) via GitHub
2026/03/24 [VOTE] Release Tooling 0.3b sbp
2026/03/24 [VOTE] Release Tooling 0.3a sbp
2026/03/24 [I] Supporting Erlang distribution channel (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Improve the accuracy and UI for the OSV vulnerability scanner (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Improve the accuracy and UI for the OSV vulnerability scanner (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Expand SBOM support (tooling-trusted-releases) via GitHub
2026/03/24 Re: [I] Expand SBOM support (tooling-trusted-releases) via GitHub
2026/03/23 [I] Committee release catalog schema and model complete (tooling-trusted-releases) via GitHub
2026/03/23 [I] Update start release form to incorporate project cycles (tooling-trusted-releases) via GitHub
2026/03/23 [I] Project schema and models complete (tooling-trusted-releases) via GitHub
2026/03/23 [I] Finish feature complete (tooling-trusted-releases) via GitHub
2026/03/23 [I] Require passing vote and time period before allowing vote completion (tooling-trusted-releases) via GitHub
2026/03/23 [I] Vote feature complete (tooling-trusted-releases) via GitHub
2026/03/23 [I] Move file planner UX to compose phase (tooling-trusted-releases) via GitHub
2026/03/23 [I] Compose feature complete (tooling-trusted-releases) via GitHub
2026/03/23 Re: [PR] Bump astral-sh/setup-uv from 7.3.1 to 7.6.0 (tooling-trusted-releases) via GitHub
2026/03/23 Re: [PR] Bump biomejs/setup-biome from 2.7.0 to 2.7.1 (tooling-trusted-releases) via GitHub
2026/03/23 [PR] Bump astral-sh/setup-uv from 7.3.1 to 7.6.0 (tooling-trusted-releases) via GitHub
2026/03/23 [PR] Bump biomejs/setup-biome from 2.7.0 to 2.7.1 (tooling-trusted-releases) via GitHub