Add a security.txt file to torproject.org
security.txt files give people the information they need to contact Tor when they find a security issue.
It's an IETF draft, and Google has done it, so maybe we should too: https://securitytxt.org/
We can use the existing information at: https://www.torproject.org/about/contact#security
And we might want to:
- add a PGP key file
- add a signature
- maybe add a policy or acknowledgements when we decide how they work
Activity
changed milestone to %website redesign
Open for discussion: https://github.com/torproject/webwml/pull/9 (not to be merged until fully adopted, see checklist in description)
Trac:
Status: new to needs_reviewThis got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.
- Policy: the current org/teams/NetworkTeam/SecurityPolicy is a draft and should be published in a (signed) blog post (#5489 (moved)) and linked from https://torproject.org/about/contact#security
- Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?
- Hiring: it could help the Torproject to always have an open position for security researchers Who's willing to adopt this ticket?
Trac:
Status: needs_review to newReplying to traumschule:
This got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.
- Policy: the current org/teams/NetworkTeam/SecurityPolicy is a draft and should be published in a (signed) blog post (#5489 (moved)) and linked from https://torproject.org/about/contact#security
That's not the Tor Project's security policy. It's the network team security policy.
We need to work out a security policy that covers all of Tor first: See https://trac.torproject.org/projects/tor/ticket/13968#comment:27
Please open another ticket for this issue.
- Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?
I don't understand what the Debian archive has to do with the security policy. I suggest we use the tor-security list key, or some other key that many people trust.
Also, how did this patch get merged without a signature? Please open a ticket to remove the signature line, because it looks broken.
Then, please open a ticket to get it signed. (Please don't change the titles of tickets to a different task, that's confusing. And integers are cheap.)
- Hiring: it could help the Torproject to always have an open position for security researchers
Tor security researchers typically work for universities or similar organisations, or are freelance, or are volunteers. Since we don't have open security-related jobs, please open a ticket to remove the hiring line.
Also, Tor doesn't always have positions open in any category.
Changing this part of Tor is best done by talking to HR, the executive director, or the affected teams. It really isn't a good topic for a trac ticket.
Who's willing to adopt this ticket?
If you open separate tickets for each task, different people might adopt those tasks.
https://github.com/torproject/webwml/pull/39
Trac:
Status: new to needs_reviewI am confused by the commits in this pull request. It looks like some of them have already been merged to master?
It looks like you tried to add a commit called "rebase". Instead, please rebase the branch onto master, and open a new pull request with the result.
Here are my comments on the original commit to the contact page:
I don't understand what the "acknowledgements" are. The network team security policy is *not* the security policy for the whole of Tor. The link to .well_known/security.txt is blank. Does that work?(learned something: I used the already merged branch securitytxt, added the commit and did 'git rebase master'. So all commits got a new hash. Instead I need to deleted the merged branch, checkout -b securitytxt and add the commit there.)
I don't understand what the "acknowledgements" are. This is something the securitytxt people came up with: https://tools.ietf.org/html/draft-foudil-securitytxt-04#section-3.4.1 Basically a place to honour the work of former / current security researchers. I created #27458 (moved) for it.
The network team security policy is not the security policy for the whole of Tor. Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.
The link to .well_known/security.txt is blank. Does that work? Got me. The whole PR was WIP and I did not expect it to be merged at this stage.
push -f, so same link: https://github.com/torproject/webwml/pull/39The original PR had some more info on the concept: https://github.com/torproject/webwml/pull/9
Trac:
Status: needs_revision to needs_reviewReplying to traumschule:
The network team security policy is not the security policy for the whole of Tor. Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.
Ok, but you can't link to a blank policy. That's confusing.
I suggest that you point to the network team security policy as the policy for "tor (the network daemon)", and note that other projects may have their own policies.
What do you think about https://github.com/torproject/webwml/pull/39/commits/12b283eecd4f467bb05171f3c0616e99051d4dab
Replying to traumschule:
What do you think about https://github.com/torproject/webwml/pull/39/commits/12b283eecd4f467bb05171f3c0616e99051d4dab
I'm not sure.
If you link to a wiki, then we can add new policies easily, but the content is hard to trust. If you get the security.txt file signed, then it's harder to update the links.
Please check the links, they have typos. And please be consistent with your onion links: either provide onion links for all links, or no links.
moved to tpo/web/trac#25131 (moved)
