andrewmusselman opened a new pull request, #575: URL: https://github.com/apache/tooling-trusted-releases/pull/575
## Pull request summary <!-- markdownlint-disable-line MD041 --> This PR adds security documentation to satisfy issue #555 (ASVS requirements 15.1.1, 8.1.1, 2.1.1, 6.1.1). ## New files **SECURITY.md** (repository root) Vulnerability reporting policy directing reporters to the ASF Security Team ([email protected]), with scope definition and link to ASF security process. **atr/docs/security-authentication.md** (section 3.11) Documents authentication mechanisms: ASF OAuth for web sessions, PAT/JWT system for API access, token lifecycle, security properties, and known limitations from `notes/api-security.md`. **atr/docs/security-authorization.md** (section 3.12) Documents the RBAC model derived from ASF LDAP, including roles (committer, participant, PMC member, etc.), access control rules for releases/projects/tokens, implementation patterns, and caching behavior. **atr/docs/input-validation.md** (section 3.13) Documents validation strategy: Pydantic form validation, CSRF protection, validation rules by input type, data integrity checks from `validate.py`, output encoding, file upload security, and injection prevention. ## Modified files **atr/docs/developer-guide.md** Added links to new sections 3.11-3.13 and a "Security documentation" section. **atr/docs/index.md** Added table of contents entries for the three new pages. **atr/docs/how-to-contribute.md** Updated "Next" link to point to security-authentication. ## Required acknowledgements Please replace each `[ ]` with `[x]` to confirm. PRs missing confirmations may be closed or converted to Draft. * [x] I have read and followed **CONTRIBUTING.md** * [x] I have read **DEVELOPMENT.md** * [x] I have run the required tests and checks locally * [x] All required checks are currently passing * [x] This branch is **rebased on the current `main` branch** --- ## Rebase confirmation details (optional but encouraged) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
