dev  

Messages by Thread

• Re: [I] Update pre-commit lint to use uv and act on push (tooling-docs) via GitHub
• Re: [I] Provide clear instructions for running pre-check locally (tooling-docs) via GitHub
• Re: [I] We could add a `Dependabot` config for `actions` updates (tooling-docs) via GitHub
• [I] Make build-bootstrap error (tooling-trusted-releases) via GitHub
  • Re: [I] Make build-bootstrap error (tooling-trusted-releases) via GitHub
  • Re: [I] Make build-bootstrap error (tooling-trusted-releases) via GitHub
• [PR] Bump pygments from 2.18.0 to 2.20.0 (tooling-docs) via GitHub
  • Re: [PR] Bump pygments from 2.18.0 to 2.20.0 (tooling-docs) via GitHub
  • Re: [PR] Bump pygments from 2.18.0 to 2.20.0 (tooling-docs) via GitHub
• [PR] Bump requests from 2.32.5 to 2.33.0 (tooling-docs) via GitHub
  • Re: [PR] Bump requests from 2.32.5 to 2.33.0 (tooling-docs) via GitHub
  • Re: [PR] Bump requests from 2.32.5 to 2.33.0 (tooling-docs) via GitHub
• [PR] Bump virtualenv from 20.35.4 to 20.36.1 (tooling-docs) via GitHub
  • Re: [PR] Bump virtualenv from 20.35.4 to 20.36.1 (tooling-docs) via GitHub
  • Re: [PR] Bump virtualenv from 20.35.4 to 20.36.1 (tooling-docs) via GitHub
• [PR] Bump urllib3 from 2.5.0 to 2.6.3 (tooling-docs) via GitHub
  • Re: [PR] Bump urllib3 from 2.5.0 to 2.6.3 (tooling-docs) via GitHub
  • Re: [PR] Bump urllib3 from 2.5.0 to 2.6.3 (tooling-docs) via GitHub
• [PR] Bump filelock from 3.20.0 to 3.20.3 (tooling-docs) via GitHub
  • Re: [PR] Bump filelock from 3.20.0 to 3.20.3 (tooling-docs) via GitHub
  • Re: [PR] Bump filelock from 3.20.0 to 3.20.3 (tooling-docs) via GitHub
  • Re: [PR] Bump filelock from 3.20.0 to 3.20.3 (tooling-docs) via GitHub
• [PR] Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (tooling-trusted-releases) via GitHub
  • Re: [PR] Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (tooling-trusted-releases) via GitHub
• [PR] Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (tooling-actions) via GitHub
  • Re: [PR] Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (tooling-actions) via GitHub
  • Re: [PR] Bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (tooling-actions) via GitHub
• [PR] Bump astral-sh/setup-uv from 6.4.3 to 8.0.0 (tooling-releases-client) via GitHub
  • Re: [PR] Bump astral-sh/setup-uv from 6.4.3 to 8.0.0 (tooling-releases-client) via GitHub
• [I] Make server startup more efficient (tooling-trusted-releases) via GitHub
  • Re: [I] Make server startup more efficient (tooling-trusted-releases) via GitHub
  • Re: [I] Make server startup more efficient (tooling-trusted-releases) via GitHub
  • Re: [I] Make server startup more efficient (tooling-trusted-releases) via GitHub
• [I] Document vhost configuration (tooling-trusted-releases) via GitHub
  • Re: [I] Document vhost configuration (tooling-trusted-releases) via GitHub
  • Re: [I] Document vhost configuration (tooling-trusted-releases) via GitHub
• [I] Principal Authorization Cache Lacks Purge for Inactive Users (tooling-trusted-releases) via GitHub
  • Re: [I] Principal Authorization Cache Lacks Purge for Inactive Users (tooling-trusted-releases) via GitHub
• [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
  • Re: [I] HTTP TRACE Method Not Disabled at Apache Reverse Proxy (tooling-trusted-releases) via GitHub
• [I] No Comprehensive Endpoint-to-Authorization Mapping (tooling-trusted-releases) via GitHub
  • Re: [I] No Comprehensive Endpoint-to-Authorization Mapping (tooling-trusted-releases) via GitHub
• [I] Database Connection URL Logged at Startup (tooling-trusted-releases) via GitHub
  • Re: [I] Database Connection URL Logged at Startup (tooling-trusted-releases) via GitHub
• [I] `nbf` Claim Not Enforced as Required in ATR JWT Verification (tooling-trusted-releases) via GitHub
  • Re: [I] `nbf` Claim Not Enforced as Required in ATR JWT Verification (tooling-trusted-releases) via GitHub
  • Re: [I] `nbf` Claim Not Enforced as Required in ATR JWT Verification (tooling-trusted-releases) via GitHub
• [I] Pre-Release (Release Candidate) Dependency Used in Production (tooling-trusted-releases) via GitHub
• [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
  • Re: [I] No WebSocket Origin Validation Framework Exists (tooling-trusted-releases) via GitHub
• [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
  • Re: [I] Client-Side JWT Display TypeScript Not Available for Complete Audit (tooling-trusted-releases) via GitHub
• [I] innerHTML Read Used Where textContent Is Appropriate (tooling-trusted-releases) via GitHub
  • Re: [I] innerHTML Read Used Where textContent Is Appropriate (tooling-trusted-releases) via GitHub
• [I] API Error Responses Leak Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] API Error Responses Leak Internal Error Details (tooling-trusted-releases) via GitHub
• [I] Web-Issued JWTs Lack PAT Binding and Cannot Be Individually Revoked (tooling-trusted-releases) via GitHub
• [I] Vote Casting POST Endpoint Relies on Indirect Phase Check (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Casting POST Endpoint Relies on Indirect Phase Check (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Casting POST Endpoint Relies on Indirect Phase Check (tooling-trusted-releases) via GitHub
• [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent CSRF Enforcement Pattern on Admin POST Endpoints (tooling-trusted-releases) via GitHub
• [I] JWT DOM Auto-Clear Lacks Page Lifecycle Event Handlers (tooling-trusted-releases) via GitHub
• [I] Project Deletion Missing Additional Authorization Checks (tooling-trusted-releases) via GitHub
• [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Missing Cross-Entity Business Logic Validation Rules (tooling-trusted-releases) via GitHub
• [I] API Models Lack Enum Validation for Phase Parameter (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Enum Validation for Phase Parameter (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Lack Enum Validation for Phase Parameter (tooling-trusted-releases) via GitHub
• [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
  • Re: [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
  • Re: [I] Neither Vhost Sanitizes X-Forwarded-Host (tooling-trusted-releases) via GitHub
• [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
  • Re: [I] Documentation Does Not Describe Failed Authentication Monitoring and Alerting (tooling-trusted-releases) via GitHub
• [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
  • Re: [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
  • Re: [I] Missing .dockerignore for Build Context Optimization (tooling-trusted-releases) via GitHub
• [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Tabulation Authorization Check Commented Out (tooling-trusted-releases) via GitHub
• [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
  • Re: [I] SSH Authentication Success Not Logged (tooling-trusted-releases) via GitHub
• [I] JWT TTL Documentation Inconsistency (tooling-trusted-releases) via GitHub
  • Re: [I] JWT TTL Documentation Inconsistency (tooling-trusted-releases) via GitHub
• [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
  • Re: [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
  • Re: [I] Internal Documentation Publicly Exposed (tooling-trusted-releases) via GitHub
• [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
  • Re: [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
  • Re: [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
  • Re: [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
  • Re: [I] GET Blueprint Lacks Centralized Project-Level Authorization (tooling-trusted-releases) via GitHub
• [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
  • Re: [I] Server Does Not Enforce Cipher Suite Preference Order (tooling-trusted-releases) via GitHub
• [I] JWT Claims Including User Identity Logged at DEBUG Level (tooling-trusted-releases) via GitHub
  • Re: [I] JWT Claims Including User Identity Logged at DEBUG Level (tooling-trusted-releases) via GitHub
• [I] ZIP Download Streaming Without Size or Time Guards (tooling-trusted-releases) via GitHub
  • Re: [I] ZIP Download Streaming Without Size or Time Guards (tooling-trusted-releases) via GitHub
• [I] No Documented Risk-Based Remediation Timeframes for Vulnerable Components (tooling-trusted-releases) via GitHub
• [I] Unbounded Distribution Status Check Loop (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded Distribution Status Check Loop (tooling-trusted-releases) via GitHub
• [I] Syft Installed via Unverified Remote Script Execution (tooling-trusted-releases) via GitHub
• [I] Admin Debug Test Route /admin/raise-error Available in Production (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Debug Test Route /admin/raise-error Available in Production (tooling-trusted-releases) via GitHub
• [I] ZipResponse Does Not Enforce Content-Disposition: attachment (tooling-trusted-releases) via GitHub
  • Re: [I] ZipResponse Does Not Enforce Content-Disposition: attachment (tooling-trusted-releases) via GitHub
• [I] OSV Vulnerability Scanning Has No HTTP Timeout (tooling-trusted-releases) via GitHub
  • Re: [I] OSV Vulnerability Scanning Has No HTTP Timeout (tooling-trusted-releases) via GitHub
• [I] Thread Message Fetching Without Timeout or Concurrency Limit (tooling-trusted-releases) via GitHub
  • Re: [I] Thread Message Fetching Without Timeout or Concurrency Limit (tooling-trusted-releases) via GitHub
• [I] No Documented Update Timeframe for npm/Frontend Dependencies (tooling-trusted-releases) via GitHub
• [I] ShellResponse Serves Executable Content Without Content-Disposition: attachment (tooling-trusted-releases) via GitHub
  • Re: [I] ShellResponse Serves Executable Content Without Content-Disposition: attachment (tooling-trusted-releases) via GitHub
• [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
  • Re: [I] Full Email Content Logged at INFO Level (tooling-trusted-releases) via GitHub
• [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
  • Re: [I] Unauthenticated /api/tasks/list Endpoint Exposes Internal Error Details (tooling-trusted-releases) via GitHub
• [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Validation Exceptions Return HTTP 500 Instead of 401 (tooling-trusted-releases) via GitHub
• [I] API Models Accept Client-Submitted Identity Alongside JWT (tooling-trusted-releases) via GitHub
  • Re: [I] API Models Accept Client-Submitted Identity Alongside JWT (tooling-trusted-releases) via GitHub
• [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
  • Re: [I] Admin Pages Using web.ElementResponse() May Lack Logout Button (tooling-trusted-releases) via GitHub
• [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
  • Re: [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
  • [I] No "Revoke All Tokens for ALL Users" Global Capability (tooling-trusted-releases) via GitHub
• [I] WorkflowSSHKey Entries Not Purged After Expiration (tooling-trusted-releases) via GitHub
  • Re: [I] WorkflowSSHKey Entries Not Purged After Expiration (tooling-trusted-releases) via GitHub
• [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
  • Re: [I] Inconsistent Defense-in-Depth in Distribution Endpoints (tooling-trusted-releases) via GitHub
• [I] Unvalidated Identity Parameter in Email and Vote Operations (tooling-trusted-releases) via GitHub
  • Re: [I] Unvalidated Identity Parameter in Email and Vote Operations (tooling-trusted-releases) via GitHub
  • Re: [I] Unvalidated Identity Parameter in Email and Vote Operations (tooling-trusted-releases) via GitHub
• [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
  • Re: [I] Vote Duration Not Validated Against Release Policy Minimum (tooling-trusted-releases) via GitHub
• [I] Unbounded PGP Key Block Processing in Bulk Operations (tooling-trusted-releases) via GitHub
  • Re: [I] Unbounded PGP Key Block Processing in Bulk Operations (tooling-trusted-releases) via GitHub
• [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
  • Re: [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
  • Re: [I] Public API Endpoints Expose Internal Implementation Fields (tooling-trusted-releases) via GitHub
• [I] Session Cache Persists Sensitive Data Indefinitely Without TTL (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cache Persists Sensitive Data Indefinitely Without TTL (tooling-trusted-releases) via GitHub
  • Re: [I] Session Cache Persists Sensitive Data Indefinitely Without TTL (tooling-trusted-releases) via GitHub
• [I] Swagger UI and OpenAPI Specification Publicly Accessible (tooling-trusted-releases) via GitHub
  • Re: [I] Swagger UI and OpenAPI Specification Publicly Accessible (tooling-trusted-releases) via GitHub
• [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
  • Re: [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
  • Re: [I] Authorization Code Not URL-Encoded in Token Exchange Request (tooling-trusted-releases) via GitHub
• [I] User Identity Data Sent to External GitHub API (tooling-trusted-releases) via GitHub
  • Re: [I] User Identity Data Sent to External GitHub API (tooling-trusted-releases) via GitHub
• [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
  • Re: [I] PAT Creation Not Audit-Logged (Inconsistency) (tooling-trusted-releases) via GitHub
• [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
  • Re: [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
  • [I] General Library Update Timeframe Is Enforced but Undocumented as Policy (tooling-trusted-releases) via GitHub
• [I] Storage Layer Bypassed for Revision Tag Modification (tooling-trusted-releases) via GitHub
  • Re: [I] Storage Layer Bypassed for Revision Tag Modification (tooling-trusted-releases) via GitHub
  • Re: [I] Storage Layer Bypassed for Revision Tag Modification (tooling-trusted-releases) via GitHub
• [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
  • Re: [I] Unverifiable Session Cookie Write in atr.util (tooling-trusted-releases) via GitHub
• [I] Text Response Classes Rely on Implicit Charset from Werkzeug (tooling-trusted-releases) via GitHub
  • Re: [I] Text Response Classes Rely on Implicit Charset from Werkzeug (tooling-trusted-releases) via GitHub
• [I] JWT Audience Values Contain 'test' Identifier (tooling-trusted-releases) via GitHub

• Earlier messages
• Later messages