Opened 3 years ago
Last modified 2 years ago
#25131 needs_review enhancement
Add a security.txt file to torproject.org
| Reported by: | teor | Owned by: | |
|---|---|---|---|
| Priority: | Medium | Milestone: | website redesign |
| Component: | Webpages/Website | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | dmr | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
security.txt files give people the information they need to contact Tor when they find a security issue.
It's an IETF draft, and Google has done it, so maybe we should too:
https://securitytxt.org/
We can use the existing information at:
https://www.torproject.org/about/contact#security
And we might want to:
- add a PGP key file
- add a signature
- maybe add a policy or acknowledgements when we decide how they work
Child Tickets
| Ticket | Type | Status | Owner | Summary |
|---|---|---|---|---|
| #2259 | enhancement | new | erinn | The "new ticket" page should contain good advice on how to write good tickets. |
| #5489 | task | closed | nickm | Write up a "how to report bugs and security issues, and what happens then" post or FAQ |
| #27421 | defect | new | Tor security policy | |
| #27422 | defect | closed | Remove signature line from security.txt | |
| #27423 | defect | new | Sign security.txt | |
| #27424 | defect | closed | Remove hiring line from security.txt | |
| #27458 | task | needs_review | security.txt: Add acknowledgments page to honour our security researches |
Change History (17)
comment:1 Changed 3 years ago by
| Milestone: | → website redesign |
|---|
comment:2 Changed 2 years ago by
| Status: | new → needs_review |
|---|
comment:3 Changed 2 years ago by
| Cc: | dmr added |
|---|
comment:4 follow-up: 6 Changed 2 years ago by
| Status: | needs_review → new |
|---|
This got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.
- Policy: the current security policy is a draft and should be published in a (signed) blog post (#5489) and linked from https://torproject.org/about/contact#security
- Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?
- Hiring: it could help the Torproject to always have an open position for security researchers
Who's willing to adopt this ticket?
comment:5 Changed 2 years ago by
| Summary: | Add a security.txt file to torproject.org → Sign security.txt |
|---|
comment:6 Changed 2 years ago by
Replying to traumschule:
This got merge although the links in security.txt do not yet point to useful information, also it is missing a signature.
- Policy: the current security policy is a draft and should be published in a (signed) blog post (#5489) and linked from https://torproject.org/about/contact#security
That's not the Tor Project's security policy. It's the network team security policy.
We need to work out a security policy that covers all of Tor first:
See https://trac.torproject.org/projects/tor/ticket/13968#comment:27
Please open another ticket for this issue.
- Signature: File is missing. Should it be signed with the deb.torproject.org archive signing key (8B904624C5A28654E4539BC2E135A8B41A7BF184)?
I don't understand what the Debian archive has to do with the security policy.
I suggest we use the tor-security list key, or some other key that many people trust.
Also, how did this patch get merged without a signature?
Please open a ticket to remove the signature line, because it looks broken.
Then, please open a ticket to get it signed.
(Please don't change the titles of tickets to a different task, that's confusing. And integers are cheap.)
- Hiring: it could help the Torproject to always have an open position for security researchers
Tor security researchers typically work for universities or similar organisations, or are freelance, or are volunteers.
Since we don't have open security-related jobs, please open a ticket to remove the hiring line.
Also, Tor doesn't always have positions open in any category.
Changing this part of Tor is best done by talking to HR, the executive director, or the affected teams. It really isn't a good topic for a trac ticket.
Who's willing to adopt this ticket?
If you open separate tickets for each task, different people might adopt those tasks.
comment:7 Changed 2 years ago by
Thanks for the review.
Also, how did this patch get merged without a signature?
I guess it was merged without reading the PR description or the according ticket.
If you open separate tickets for each task, different people might adopt those tasks.
Done.
comment:8 Changed 2 years ago by
| Summary: | Sign security.txt → Add a security.txt file to torproject.org |
|---|
(Please don't change the titles of tickets to a different task, that's confusing. And integers are cheap.)
Changing it back.
comment:9 Changed 2 years ago by
| Status: | new → needs_review |
|---|
comment:10 Changed 2 years ago by
I am confused by the commits in this pull request. It looks like some of them have already been merged to master?
It looks like you tried to add a commit called "rebase".
Instead, please rebase the branch onto master, and open a new pull request with the result.
Here are my comments on the original commit to the contact page:
I don't understand what the "acknowledgements" are. The network team security policy is *not* the security policy for the whole of Tor. The link to .well_known/security.txt is blank. Does that work?
comment:11 Changed 2 years ago by
| Status: | needs_review → needs_revision |
|---|
comment:12 follow-up: 14 Changed 2 years ago by
(learned something: I used the already merged branch securitytxt, added the commit and did 'git rebase master'. So all commits got a new hash. Instead I need to deleted the merged branch, checkout -b securitytxt and add the commit there.)
I don't understand what the "acknowledgements" are.
This is something the securitytxt people came up with: https://tools.ietf.org/html/draft-foudil-securitytxt-04#section-3.4.1
Basically a place to honour the work of former / current security researchers. I created #27458 for it.
The network team security policy is *not* the security policy for the whole of Tor.
Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy? to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.
The link to .well_known/security.txt is blank. Does that work?
Got me. The whole PR was WIP and I did not expect it to be merged at this stage.
comment:13 Changed 2 years ago by
| Status: | needs_revision → needs_review |
|---|
push -f, so same link: https://github.com/torproject/webwml/pull/39
The original PR had some more info on the concept:
https://github.com/torproject/webwml/pull/9
comment:14 Changed 2 years ago by
Replying to traumschule:
The network team security policy is *not* the security policy for the whole of Tor.
Yes, the current link does not make much sense. I propose to make up a (wiki?) path like TorSecurityPolicy? to be filled later. It probably should also appear on WikiStart#OfficialTorLinks.
Ok, but you can't link to a blank policy. That's confusing.
I suggest that you point to the network team security policy as the policy for "tor (the network daemon)", and note that other projects may have their own policies.
comment:15 follow-up: 16 Changed 2 years ago by
What do you think about https://github.com/torproject/webwml/pull/39/commits/12b283eecd4f467bb05171f3c0616e99051d4dab
comment:16 Changed 2 years ago by
Replying to traumschule:
What do you think about https://github.com/torproject/webwml/pull/39/commits/12b283eecd4f467bb05171f3c0616e99051d4dab
I'm not sure.
If you link to a wiki, then we can add new policies easily, but the content is hard to trust.
If you get the security.txt file signed, then it's harder to update the links.
Please check the links, they have typos.
And please be consistent with your onion links: either provide onion links for all links, or no links.
Open for discussion:
https://github.com/torproject/webwml/pull/9
(not to be merged until fully adopted, see checklist in description)