[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645856#comment-17645856 ] Hudson commented on MNGSITE-503: Build succeeded in Jenkins: Maven » Maven TLP » maven-site » master #194 See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-site/job/master/194/ > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645855#comment-17645855 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell merged PR #354: URL: https://github.com/apache/maven-site/pull/354 > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645850#comment-17645850 ] Hudson commented on MNGSITE-503: Build failed in Jenkins: Maven » Maven TLP » maven-site » PR-354 #10 See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-site/job/PR-354/10/ > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645849#comment-17645849 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345653699 > This is not what I understand. The specification is not concrete enough for me. That's a legit statement. However, it could take some considerable amount of time until the issue you opened has been resolved (i.e. clarification and fix of the example). As @bdemers, @hboutemy and @slawekjaranowski are okay with the state as-is, let’s merge it and come back later if it needs attention. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645801#comment-17645801 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345608669 > When I open the RFC it clearly says > > > The "Expires" field indicates the date and time[...] > > and > > > The value of this field is formatted according to[...] > > I think it couldn't be more clear. They require date and time in the format defined in 8601. While 8601 also defines LocalDate, in this case they want a DateTimeInstant defined how 8601 would want to have it. This is not what I understand. The specification is not concrete enough for me. A telescoping approach should be fine otherwise an erratum is necessary. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645798#comment-17645798 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345602186 When I open the RFC it clearly says > The "Expires" field indicates the date and time[...] I think it couldn't be more clear. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645795#comment-17645795 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345601859 So, a researcher in the US gets more time. Interesting! Tbh I think only an instant makes sense to avoid this. Probably all scanners try to parse a time and "Z". It doesn't even hurt. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645793#comment-17645793 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345600516 > > Then just drop to date only. Fully valid ISO date > > Spec explicitly asks for date and **TIME**. > > +1 for Hervés suggestion, will add later. https://www.rfc-editor.org/rfc/rfc9116#section-2.5.5 does not say that. It just says that the format has to comply with ISO 8601. Moreover, the example is invalid according to ISO 8601 and this I wrote Yakov yesterday. Unless it uses the word MUST a local date is more than enough. Everything else is a problem with the RFC itself. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645791#comment-17645791 ] ASF GitHub Bot commented on MNGSITE-503: hboutemy commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045261766 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: IIUC, the intent in the RFC is to link to policies, not history. I don't really have any experience with this RFC. Given it seems intended for people to read, humans can guess I suppose, then not a strict problem: do as you feel better > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645790#comment-17645790 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345598388 > Then just drop to date only. Fully valid ISO date Spec explicitly asks for date and **TIME**. +1 for Hervés suggestion, will add later. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645783#comment-17645783 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345579423 > one idea: shouldn't we simplify with > > ``` > -MM-'01T00:00:00Z' > ``` > > ie just round to month, and forget about all the details for locale? > > that would match the spirit of having an automatic date, but without having it changed too much: once per month, not every rebuild (then no noise at svnpubsub level on each build) > > WDYT? Then just drop to date only. Fully valid ISO date > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645779#comment-17645779 ] ASF GitHub Bot commented on MNGSITE-503: hboutemy commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345568583 one idea: shouldn't we simplify with ``` -MM-'01T'00:00:00Z' ``` ie just round to month, and forget about all the details for locale? that would match the spirit of having an automatic date that is not changed too much (one per month, not every rebuild) WDYT? > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645758#comment-17645758 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045214262 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: That is what I was talking about > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645751#comment-17645751 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045200050 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: Ah. I linked it because of the existing CVEs. This might have been helpful. But if you really only want to include links to policies, that's okay for me, too. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645750#comment-17645750 ] ASF GitHub Bot commented on MNGSITE-503: hboutemy commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045199323 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: AFAIK, https://maven.apache.org/security.html does not provide anything related to policy, just eventually the link to https://www.apache.org/security/ = the previous link I think we should keep only the first "Policy" entry, not the second one > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] > * [RFC 9116|https://datatracker.ietf.org/doc/html/rfc9116] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645728#comment-17645728 ] ASF GitHub Bot commented on MNGSITE-503: kwin commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045181161 ## pom.xml: ## @@ -232,6 +232,33 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + -MM-dd'T'HH:mm:ssXXX + add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645674#comment-17645674 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345374960 Here it is: https://issues.apache.org/jira/browse/MNG-6434 > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645673#comment-17645673 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345373414 @bmarwell This is what you were looking for: ```diff diff --git a/pom.xml b/pom.xml index a7d46e96..8686e1e1 100644 - > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645672#comment-17645672 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345372396 @kwin I know that you have been working on this Plexus non-sense with trimming and to null coercion. Do you remember by any chance why an empty string is coerced to `null`? > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645671#comment-17645671 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345371692 > I still don't believe it matters as the format string does not contain any locale-specific patterns. But if you insist, why not use the Maven properties I suggested? I did not say that it does matter, all I am telling is that `` does not behave the way you assume. Since we cannot really request `Locale#ROOT` I would use a really non-existing value and document it as such, e.g. `BOGUS`. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645669#comment-17645669 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345370568 Plexus XML handling coerces both: ` ` and `` to `null` instead of `""` which is actually what you want/need. The only way to fix this is to do `"ROOT".equals(this.locale)`...`locale = Locale.ROOT`. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645668#comment-17645668 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345370360 I still don't believe it matters as the format string does not contain any locale-specific patterns. But if you insist, why not use the Maven properties I suggested? > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645667#comment-17645667 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345368961 > > > @michael-o now we have this: > > > ``` > > > [INFO] - > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645666#comment-17645666 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345367729 > > @michael-o now we have this: > > > > ``` > > [INFO] - > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645662#comment-17645662 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345366315 > @michael-o now we have this: > > ``` > [INFO] - > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645661#comment-17645661 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045126621 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: I read it and I consider the second one useless. The only valuable information is: "For more information about reporting vulnerabilities, see the [Apache Security Team](https://www.apache.org/security/) page." This is as good as leaving it out. It provides no benefit. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645660#comment-17645660 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345364430 I just have reported a bug in RFC 9116. Quite embarassing one. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645657#comment-17645657 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345364007 > So you are uploading an expired file. Expires MUST be in the future! Oh man, I am so stupid. You are right, of course. I left this out complete. I guess I should not code anymore today. But still, having the date being set automatically, I consider wrong because the provided information much be manually reviewed. Please drop the commit. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645656#comment-17645656 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045125369 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: > This one does not point to any policy. Just to a listing w/o any benefit for a potentional reporter. Are you reading the spec at all? Or just posting random comments? > A link to a policy detailing what security researchers should do when searching for or reporting security issues. https://www.rfc-editor.org/rfc/rfc9116#section-2.5.7 Both pages contain useful information for security researchers: email addresses, disclosure policy, etc. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645655#comment-17645655 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345362771 So you are uploading an expired file. Expires MUST be in the future! > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645654#comment-17645654 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045124193 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:priv...@maven.apache.org +Expires: ${maven.build.timestamp} +Preferred-Languages: en +Policy: https://www.apache.org/security/ +Policy: https://maven.apache.org/security.html Review Comment: This one does not point to any policy. Just to a listing w/o any benefit for a potentional reporter. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645653#comment-17645653 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345360839 @bmarwell I have added a commit which does it right. No fuzz, no additonal plugins. WFM: ``` Contact: mailto:secur...@apache.org Contact: mailto:priv...@maven.apache.org Expires: 2022-12-10T18:48:02Z Preferred-Languages: en Policy: https://www.apache.org/security/ Policy: https://maven.apache.org/security.html ``` > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645648#comment-17645648 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345323411 Removing the locale now leads to a warning that the build is system dependent. Is this really wanted? I feel having warnings intentionally seems odd. This might get "fixed" by someone else in the future who didn't read this thread. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645647#comment-17645647 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345305885 > Two issues: > * I think that using this plugin is redundant when we have this: https://maven.apache.org/guides/introduction/introduction-to-the-pom.html#special-variables > * Pushing the expires every time like not a having an expires at all. I'd rather make it a *fixed date* and 1 month before evaluate again. It is like push the appointment with the dentist every time. Huh. It's manual work and highly likely it's forgotten. It's very likely that * We push this project at least once or twice a year * The project is being maintained (or at least reachable) about 12 months after pushing out the last release. -1 for a fixed date. * It doesn't add any value * Can easily be forgotten * Needs extra pushes/releases. The special variable doesn't work with offsets. And I fail to see how this would help. The expiry format MUST BE an ISO 8601 timestamp. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645602#comment-17645602 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on PR #354: URL: https://github.com/apache/maven-site/pull/354#issuecomment-1345254727 @michael-o now we have this: ``` [INFO] - > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645598#comment-17645598 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045079240 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT Review Comment: It does. `ROOT` works well. `'Z'` in combination with `ROOT` made sense, but now that we are going to use `XXX` I agree to remove it (for another reason, though). > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645575#comment-17645575 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1045059586 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT Review Comment: This will not work: https://www.mojohaus.org/build-helper-maven-plugin/xref/org/codehaus/mojo/buildhelper/TimestampPropertyMojo.html#L122 It does not process `ROOT` for `new Locale("")`. ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' Review Comment: Corrected request. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645574#comment-17645574 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044864320 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' Review Comment: Don't use `'Z'`, always use `XXX`. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645519#comment-17645519 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044919562 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' + +1 + year + Review Comment: Understood. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645518#comment-17645518 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044919421 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' Review Comment: Copy and paste, of course the latter without the quotes. Thanks for the sharp eye. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645508#comment-17645508 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044897609 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' Review Comment: Can do. But your answer doesn't make sense. I can change from literal `'Z'` to the TZ pattern `XXX`. But a literal XXX would not be a valid ISO-8601 time. Judging from other posts on GitHub, you didn't mean to include the single quotes and you do want the offset to be printed, so we don't lie about a few hours? Please note, currently we have a literal Z, not the pattern Z. Your answer would have made more sense without the quotes, which is why I ask. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645504#comment-17645504 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044893006 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' + +1 + year + Review Comment: Yes, that's the idea. It's the time when the information is considered stale/expired. As long as we deploy the site, it must be active for another year or so. See the RFC from the mailing list and this article: https://developer.okta.com/blog/2021/10/19/intro-security-txt We do the same in Apache Shiro. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645484#comment-17645484 ] ASF GitHub Bot commented on MNGSITE-503: michael-o commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044864320 ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' Review Comment: Don't use `'Z'`, always use `'XXX'`. ## pom.xml: ## @@ -232,6 +232,32 @@ --> + + +org.codehaus.mojo +build-helper-maven-plugin +3.3.0 + + +create-security.txt-timestamp +pre-site + + timestamp-property + + + maven.security.expires + ROOT + -MM-dd'T'HH:mm:ss'Z' + +1 + year + Review Comment: What is the purpose of this? It will change every time the site gets deployed. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645459#comment-17645459 ] ASF GitHub Bot commented on MNGSITE-503: slawekjaranowski commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044752527 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:secur...@maven.apache.org Review Comment: security@maven should be checked ... try send an email 😄 maybe it is an alias for private list > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645415#comment-17645415 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044674863 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:secur...@maven.apache.org Review Comment: Yes, you can repeat this according to RFCs. The first address is the general a.o address which can be found on the linked security policy website. The second one SHOULD exist. It's an address (mailing list) which is created for each PMC. > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645306#comment-17645306 ] ASF GitHub Bot commented on MNGSITE-503: slawekjaranowski commented on code in PR #354: URL: https://github.com/apache/maven-site/pull/354#discussion_r1044477516 ## content/filtered-resources/.well-known/security.txt: ## @@ -0,0 +1,6 @@ +Contact: mailto:secur...@apache.org +Contact: mailto:secur...@maven.apache.org Review Comment: Is there such address, lists? > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNGSITE-503) add .well-known/security.txt
[ https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645284#comment-17645284 ] ASF GitHub Bot commented on MNGSITE-503: bmarwell opened a new pull request, #354: URL: https://github.com/apache/maven-site/pull/354 References: * [.well-known/security.txt at maven.apache.org (mail-archive.com)](https://www.mail-archive.com/dev@maven.apache.org/msg128366.html) * [.well-known/security.txt at maven.apache.org-Apache Mail Archives](https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy) > add .well-known/security.txt > > > Key: MNGSITE-503 > URL: https://issues.apache.org/jira/browse/MNGSITE-503 > Project: Maven Project Web Site > Issue Type: Improvement >Reporter: Benjamin Marwell >Assignee: Benjamin Marwell >Priority: Major > Labels: security > > As per consensus on the mailing list (+1 from [~rmannibucau] and me), we > should add a file `.well-known/security.txt`. > I will prepare a PR. > References: > * [.well-known/security.txt at maven.apache.org > (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html] > * [.well-known/security.txt at maven.apache.org-Apache Mail > Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy] -- This message was sent by Atlassian Jira (v8.20.10#820010)