[tor-bugs] #25131 [Webpages/Website]: Sign security.txt
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 3 01:50:33 UTC 2018
#25131: Sign security.txt
------------------------------+----------------------------------
Reporter: teor | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone: website redesign
Component: Webpages/Website | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+----------------------------------
Comment (by teor):
Replying to [comment:4 traumschule]:
> This got merge although the links in [https://torproject.org/.well-
known/security.txt security.txt] do not yet point to useful information,
also it is missing a signature.
> * Policy: the current [[org/teams/NetworkTeam/SecurityPolicy|security
policy]] is a draft and should be published in a (signed) blog post
(#5489) and linked from https://torproject.org/about/contact#security
That's not the Tor Project's security policy. It's the network team
security policy.
We need to work out a security policy that covers all of Tor first:
See https://trac.torproject.org/projects/tor/ticket/13968#comment:27
Please open another ticket for this issue.
> * Signature: File is missing. Should it be signed with the
deb.torproject.org archive signing key
(8B904624C5A28654E4539BC2E135A8B41A7BF184)?
I don't understand what the Debian archive has to do with the security
policy.
I suggest we use the tor-security list key, or some other key that many
people trust.
Also, how did this patch get merged without a signature?
Please open a ticket to remove the signature line, because it looks
broken.
Then, please open a ticket to get it signed.
(Please don't change the titles of tickets to a different task, that's
confusing. And integers are cheap.)
> * Hiring: it could help the Torproject to always have an open position
for security researchers
Tor security researchers typically work for universities or similar
organisations, or are freelance, or are volunteers.
Since we don't have open security-related jobs, please open a ticket to
remove the hiring line.
Also, Tor doesn't always have positions open in any category.
Changing this part of Tor is best done by talking to HR, the executive
director, or the affected teams. It really isn't a good topic for a trac
ticket.
> Who's willing to adopt this ticket?
If you open separate tickets for each task, different people might adopt
those tasks.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25131#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list