I don’t see any harm having more documentation. It’s kinda like the apple philosophy of trying to make every thing that someone would think of doing on a computer, actually work like they think it would…right? The more intuitive we can make things the better we will end up being, I would think.
Thoughts? -Rob > On Aug 22, 2020, at 11:26 AM, Gilles Sadowski <[email protected]> wrote: > > 2020-08-22 16:40 UTC+02:00, Gary Gregory <[email protected] > <mailto:[email protected]>>: >> Two items: (1) security is different > > from what? > >> because, well, it seems obvious to me >> that anything security related should be as accessible as possible as >> opposed to going through an extra hoop > > YMMV, but IMHO the (unique) "source of truth" is on the ASF > web site(s): > https://apache.org <https://apache.org/> > https://commons.apache.org <https://commons.apache.org/> > > This > https://github.com/apache/commons-io/security/policy > <https://github.com/apache/commons-io/security/policy> > obviously (?) looks less authoritative. > > and... makes for an "extra hoop". > >> and (2) making/keeping our GitHub >> presence a first class citizen in how we put a face on the project. > > How does duplicate information improves anything > (marketing or otherwise)? > > Ultimately, reports still have to be posted to an ASF-hosted > ML, and not on GH. > > Gilles > >> >> Gary >> >> On Sat, Aug 22, 2020, 10:15 Gilles Sadowski <[email protected]> wrote: >> >>> Hi. >>> >>> 2020-08-22 15:26 UTC+02:00, Gary Gregory <[email protected]>: >>>> Hi All, >>>> >>>> You may have noticed (or nor) that GitHub has a Security [1] tab for >>>> our >>>> repositories. On this tab, you can define a Security Policy.[2] in a >>>> SECURITY.md (just like we have a README.md). >>>> >>>> I would like to fill this in with the same text we now have here: >>>> https://commons.apache.org/security.html >>>> >>>> Each repository should end up with a SECURITY.md which in theory should >>> be >>>> the same. >>> >>> As in code, I'd prefer to avoid such duplicated files; currently, >>> as you point out above, this is managed via our common web >>> site. >>> I'm pretty sure the duplication will proceed; so at least, the >>> contents of this file should just be a terse: >>> ---CUT--- >>> To report a security problem, please read the >>> [Apache Commons project's security >>> page](https://commons.apache.org/security.html). >>> ---CUT--- >>> >>> Regards, >>> Gilles >>> >>>> >>>> Gary >>>> >>>> [1] https://github.com/apache/commons-compress/security >>>> [2] >>>> >>> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > <mailto:[email protected]> > For additional commands, e-mail: [email protected] > <mailto:[email protected]>
