subject:"\[jira\] \[Commented\] \(MNGSITE\-503\) add .well\-known\/security.txt"

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread Hudson (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645856#comment-17645856
 ] 

Hudson commented on MNGSITE-503:


Build succeeded in Jenkins: Maven » Maven TLP » maven-site » master #194

See 
https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-site/job/master/194/

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645855#comment-17645855
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell merged PR #354:
URL: https://github.com/apache/maven-site/pull/354




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread Hudson (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645850#comment-17645850
 ] 

Hudson commented on MNGSITE-503:


Build failed in Jenkins: Maven » Maven TLP » maven-site » PR-354 #10

See 
https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-site/job/PR-354/10/

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645849#comment-17645849
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345653699

   > This is not what I understand. The specification is not concrete enough 
for me.
   
   That's a legit statement. However, it could take some considerable amount of 
time until the issue you opened has been resolved (i.e. clarification and fix 
of the example). As @bdemers, @hboutemy and @slawekjaranowski are okay with the 
state as-is, let’s merge it and come back later if it needs attention.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645801#comment-17645801
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345608669

   > When I open the RFC it clearly says
   > 
   > > The "Expires" field indicates the date and time[...]
   > 
   > and
   > 
   > > The value of this field is formatted according to[...]
   > 
   > I think it couldn't be more clear. They require date and time in the 
format defined in 8601. While 8601 also defines LocalDate, in this case they 
want a DateTimeInstant defined how 8601 would want to have it.
   
   This is not what I understand. The specification is not concrete enough for 
me. A telescoping approach should be fine otherwise an erratum is necessary. 




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645798#comment-17645798
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345602186

   When I open the RFC it clearly says 
   
   > The "Expires" field indicates the date and time[...]
   
   I think it couldn't be more clear.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645795#comment-17645795
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345601859

   So, a researcher in the US gets more time. Interesting!
   
   Tbh I think only an instant makes sense to avoid this. Probably all scanners 
try to parse a time and "Z". It doesn't even hurt.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645793#comment-17645793
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345600516

   > > Then just drop to date only. Fully valid ISO date
   > 
   > Spec explicitly asks for date and **TIME**.
   > 
   > +1 for Hervés suggestion, will add later.
   
   https://www.rfc-editor.org/rfc/rfc9116#section-2.5.5 does not say that. It 
just says that the format has to comply with ISO 8601. Moreover, the example is 
invalid according to ISO 8601 and this I wrote Yakov yesterday. Unless it uses 
the word MUST a local date is more than enough. Everything else is a problem 
with the RFC itself. 




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645791#comment-17645791
 ] 

ASF GitHub Bot commented on MNGSITE-503:


hboutemy commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045261766


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   IIUC, the intent in the RFC is to link to policies, not history. I don't 
really have any experience with this RFC.
   Given it seems intended for people to read, humans can guess I suppose, then 
not a strict problem: do as you feel better





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645790#comment-17645790
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345598388

   > Then just drop to date only. Fully valid ISO date
   
   Spec explicitly asks for date and **TIME**.
   
   +1 for Hervés suggestion, will add later.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645783#comment-17645783
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345579423

   > one idea: shouldn't we simplify with
   > 
   > ```
   > -MM-'01T00:00:00Z'
   > ```
   > 
   > ie just round to month, and forget about all the details for locale?
   > 
   > that would match the spirit of having an automatic date, but without 
having it changed too much: once per month, not every rebuild (then no noise at 
svnpubsub level on each build)
   > 
   > WDYT?
   
   Then just drop to date only. Fully valid ISO date




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645779#comment-17645779
 ] 

ASF GitHub Bot commented on MNGSITE-503:


hboutemy commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345568583

   one idea: shouldn't we simplify with
   ```
   -MM-'01T'00:00:00Z'
   ```
   ie just round to month, and forget about all the details for locale?
   
   that would match the spirit of having an automatic date that is not changed 
too much (one per month, not every rebuild)
   
   WDYT?




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645758#comment-17645758
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045214262


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   That is what I was talking about 





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645751#comment-17645751
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045200050


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   Ah. I linked it because of the existing CVEs. This might have been helpful. 
But if you really only want to include links to policies, that's okay for me, 
too.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-11 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645750#comment-17645750
 ] 

ASF GitHub Bot commented on MNGSITE-503:


hboutemy commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045199323


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   AFAIK, https://maven.apache.org/security.html does not provide anything 
related to policy, just eventually the link to https://www.apache.org/security/ 
= the previous link
   
   I think we should keep only the first "Policy" entry, not the second one





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
> * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645728#comment-17645728
 ] 

ASF GitHub Bot commented on MNGSITE-503:


kwin commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045181161


##
pom.xml:
##
@@ -232,6 +232,33 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  -MM-dd'T'HH:mm:ssXXX
+   add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645674#comment-17645674
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345374960

   Here it is: https://issues.apache.org/jira/browse/MNG-6434




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645673#comment-17645673
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345373414

   @bmarwell This is what you were looking for:
   ```diff
   diff --git a/pom.xml b/pom.xml
   index a7d46e96..8686e1e1 100644
   -

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645672#comment-17645672
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345372396

   @kwin I know that you have been working on this Plexus non-sense with 
trimming and to null coercion. Do you remember by any chance why an empty 
string is coerced to `null`?




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645671#comment-17645671
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345371692

   > I still don't believe it matters as the format string does not contain any 
locale-specific patterns. But if you insist, why not use the Maven properties I 
suggested?
   
   I did not say that it does matter, all I am telling is that `` 
does not behave the way you assume. Since we cannot really request 
`Locale#ROOT` I would use a really non-existing value and document it as such, 
e.g. `BOGUS`.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645669#comment-17645669
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345370568

   Plexus XML handling coerces both: `  ` and 
`` to `null` instead of `""` which is actually what you 
want/need. The only way to fix this is to do 
`"ROOT".equals(this.locale)`...`locale = Locale.ROOT`.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645668#comment-17645668
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345370360

   I still don't believe it matters as the format string does not contain any 
locale-specific patterns.
   But if you insist, why not use the Maven properties I suggested?




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645667#comment-17645667
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345368961

   > > > @michael-o now we have this:
   > > > ```
   > > > [INFO] -

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645666#comment-17645666
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345367729

   > > @michael-o now we have this:
   > > 
   > > ```
   > > [INFO] -

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645662#comment-17645662
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345366315

   > @michael-o now we have this:
   > 
   > ```
   > [INFO] -

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645661#comment-17645661
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045126621


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   I read it and I consider the second one useless. The only valuable 
information is: "For more information about reporting vulnerabilities, see the 
[Apache Security Team](https://www.apache.org/security/) page." This is as good 
as leaving it out. It provides no benefit.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645660#comment-17645660
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345364430

   I just have reported a bug in RFC 9116. Quite embarassing one.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645657#comment-17645657
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345364007

   > So you are uploading an expired file. Expires MUST be in the future!
   
   Oh man, I am so stupid. You are right, of course. I left this out complete. 
I guess I should not code anymore today. But still, having the date being set 
automatically, I consider wrong because the provided information much be 
manually reviewed.
   
   Please drop the commit.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645656#comment-17645656
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045125369


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   > This one does not point to any policy. Just to a listing w/o any benefit 
for a potentional reporter.
   
   Are you reading the spec at all? Or just posting random comments?
   
   > A link to a policy detailing what security researchers should do when 
searching for or reporting security issues.
   
   https://www.rfc-editor.org/rfc/rfc9116#section-2.5.7
   
   Both pages contain useful information for security researchers: email 
addresses, disclosure policy, etc.
   





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645655#comment-17645655
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345362771

   So you are uploading an expired file. Expires MUST be in the future!




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645654#comment-17645654
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045124193


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html

Review Comment:
   This one does not point to any policy. Just to a listing w/o any benefit for 
a potentional reporter.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645653#comment-17645653
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345360839

   @bmarwell I have added a commit which does it right. No fuzz, no additonal 
plugins. WFM:
   ```
   Contact: mailto:secur...@apache.org
   Contact: mailto:priv...@maven.apache.org
   Expires: 2022-12-10T18:48:02Z
   Preferred-Languages: en
   Policy: https://www.apache.org/security/
   Policy: https://maven.apache.org/security.html
   ```




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645648#comment-17645648
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345323411

   Removing the locale now leads to a warning that the build is system 
dependent. Is this really wanted? I feel having warnings intentionally seems 
odd. This might get "fixed" by someone else in the future who didn't read this 
thread.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645647#comment-17645647
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345305885

   > Two issues:
   > * I think that using this plugin is redundant when we have this: 
https://maven.apache.org/guides/introduction/introduction-to-the-pom.html#special-variables
   > * Pushing the expires every time like not a having an expires at all. I'd 
rather make it a *fixed date* and 1 month before evaluate again. It is like 
push the appointment with the dentist every time.
   
   Huh. It's manual work and highly likely it's forgotten. It's very likely that
   
   * We push this project at least once or twice a year
   * The project is being maintained (or at least reachable) about 12 months 
after pushing out the last release.
   
   -1 for a fixed date.
   
   * It doesn't add any value
   * Can easily be forgotten
   * Needs extra pushes/releases.
   
   The special variable doesn't work with offsets. And I fail to see how this 
would help. The expiry format MUST BE an ISO 8601 timestamp.




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645602#comment-17645602
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on PR #354:
URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345254727

   @michael-o now we have this:
   
   ```
   [INFO] -

> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645598#comment-17645598
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045079240


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT

Review Comment:
   It does. `ROOT` works well. `'Z'` in combination with `ROOT` made sense, but 
now that we are going to use `XXX` I agree to remove it (for another reason, 
though).





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645575#comment-17645575
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045059586


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT

Review Comment:
   This will not work: 
https://www.mojohaus.org/build-helper-maven-plugin/xref/org/codehaus/mojo/buildhelper/TimestampPropertyMojo.html#L122
   It does not process `ROOT` for `new Locale("")`.



##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'

Review Comment:
   Corrected request.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-10 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645574#comment-17645574
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044864320


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'

Review Comment:
   Don't use `'Z'`, always use `XXX`.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645519#comment-17645519
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044919562


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'
+  +1
+  year
+

Review Comment:
   Understood.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645518#comment-17645518
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044919421


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'

Review Comment:
   Copy and paste, of course the latter without the quotes. Thanks for the 
sharp eye.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645508#comment-17645508
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044897609


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'

Review Comment:
   Can do. But your answer doesn't make sense. I can change from literal `'Z'` 
to the TZ pattern `XXX`. But a literal XXX would not be a valid ISO-8601 time.  
Judging from other posts on GitHub, you didn't mean to include the single 
quotes and you do want the offset to be printed, so we don't lie about a few 
hours?
   
   Please note, currently we have a literal Z, not the pattern Z. Your answer 
would have made more sense without the quotes, which is why I ask.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645504#comment-17645504
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044893006


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'
+  +1
+  year
+

Review Comment:
   Yes, that's the idea. It's the time when the information is considered 
stale/expired. As long as we deploy the site, it must be active for another 
year or so.
   
   See the RFC from the mailing list and this article: 
https://developer.okta.com/blog/2021/10/19/intro-security-txt
   
   We do the same in Apache Shiro.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645484#comment-17645484
 ] 

ASF GitHub Bot commented on MNGSITE-503:


michael-o commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044864320


##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'

Review Comment:
   Don't use `'Z'`, always use `'XXX'`.



##
pom.xml:
##
@@ -232,6 +232,32 @@
 -->
 
   
+  
+  
+org.codehaus.mojo
+build-helper-maven-plugin
+3.3.0
+
+  
+create-security.txt-timestamp
+pre-site
+
+  timestamp-property
+
+
+  maven.security.expires
+  ROOT
+  -MM-dd'T'HH:mm:ss'Z'
+  +1
+  year
+

Review Comment:
   What is the purpose of this? It will change every time the site gets 
deployed.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645459#comment-17645459
 ] 

ASF GitHub Bot commented on MNGSITE-503:


slawekjaranowski commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044752527


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:secur...@maven.apache.org

Review Comment:
   security@maven should be checked ... try send an email 😄 maybe it is an 
alias for private list





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645415#comment-17645415
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044674863


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:secur...@maven.apache.org

Review Comment:
   Yes, you can repeat this according to RFCs.
   The first address is the general a.o address which can be found on the 
linked security policy website.
   The second one SHOULD exist. It's an address (mailing list) which is created 
for each PMC.





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645306#comment-17645306
 ] 

ASF GitHub Bot commented on MNGSITE-503:


slawekjaranowski commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044477516


##
content/filtered-resources/.well-known/security.txt:
##
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:secur...@maven.apache.org

Review Comment:
   Is there such address, lists?





> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

2022-12-09 Thread ASF GitHub Bot (Jira)



[ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645284#comment-17645284
 ] 

ASF GitHub Bot commented on MNGSITE-503:


bmarwell opened a new pull request, #354:
URL: https://github.com/apache/maven-site/pull/354

   References:
   
   * [.well-known/security.txt at maven.apache.org 
(mail-archive.com)](https://www.mail-archive.com/dev@maven.apache.org/msg128366.html)
   * [.well-known/security.txt at maven.apache.org-Apache Mail 
Archives](https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy)




> add .well-known/security.txt
> 
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
>  Issue Type: Improvement
>Reporter: Benjamin Marwell
>Assignee: Benjamin Marwell
>Priority: Major
>  Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

47 matches

Mail list logo