On 9/29/23 08:42, Sara Golemon wrote:
On Thu, Sep 28, 2023 at 5:20 PM Ben Ramsey <ram...@php.net> wrote:I've added documentation inline in the security.txt fileTo add some nitpicky bikeshedding, I'd put those instructions elsewhere (maybe php-src:docs/release-process.md ?) and only have a single line in the security.txt file referring out to that. The focus of the security.txt file should BE the metadata. +1 on the concept, and I do like the idea of making it part of the new branch release process as well as having one of the new RMs being the ones to sign it. -Sara
I didn't like having them in the `security.txt` file, either, but I wasn't sure where to put them, since they're technically not part of the release process.
I've updated my PR here: https://github.com/php/php-src/pull/12316 It has the instructions in a separate `docs/security-policies.md` file: https://github.com/ramsey/php-src/blob/security-txt/docs/security-policies.md The `release-process.md` doc is amended here (in that same PR): https://github.com/ramsey/php-src/blob/security-txt/docs/release-process.md#preparing-for-the-initial-stable-version-php-xy0 And the `security.txt` file in web-php now looks like this: https://github.com/ramsey/web-php/blob/security-txt/.well-known/security.txt Cheers, Ben
OpenPGP_signature
Description: OpenPGP digital signature
