Update security policy#3
Conversation
rossabaker
left a comment
rossabaker
left a comment
There was a problem hiding this comment.
I don't know if this is the also place to make explicit that firing up the Slop-o-Matic 3000™ and then screaming "security!" on a public issue may get you banned, but I fully support the swift action today on the core repo. Good work.
| |------------------------------------------------|---------------------|------------------------------------------------------------------------------------------------------------------------| | ||
| | [Ross A. Baker](https://github.com/rossabaker) | ross@rossabaker.com | [0x975BE5BC29D92CA5](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x904c153733dbb0106915c0bd975be5bc29d92ca5) | | ||
| | [Arman Bilge](https://github.com/armanbilge) | arman@typelevel.org | [0xA335B107E9282548](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x1CAE49948EE0A2D7154A2B62A335B107E9282548) | | ||
| | [Erlend Hamnaberg](https://github.com/hamnis) | | |
There was a problem hiding this comment.
@hamnis, I'm not sure if you want to expose an address or if you have a PGP key. If so, go ahead and "suggest changes" or push a commit onto this branch.
| After the patch is available on Maven Central, we will also provide a [security advisory](https://github.com/http4s/http4s/security/advisories) through github. | ||
| As with every release, the source jars are published to maven central at the same time as the binaries. | ||
| 1. Navigate to the "Security and quality" tab at the top of the relevant repository, click the "Report a vulnerability" button, and complete the form as much as possible. | ||
| 2. Email the [Security Team](#security-team) with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. |
There was a problem hiding this comment.
We don't have a nifty security@http4s.org address like Typelevel has, so this part is messy.
I am open to exploring the idea of merging this team and that team, but then why this affiliate project and not all affiliate projects? And all affiliate projects is not necessarily what the Typelevel team signed up for.
There was a problem hiding this comment.
I am open to exploring the idea of merging this team and that team, but then why this affiliate project and not all affiliate projects?
Are you open to http4s becoming a Typelevel organization project? In practice, this means:
- transferring
http4s.orgto the Typelevel Foundation; and - signing GitHub's corporate terms to assign ownership of the http4s org to the Typelevel Foundation.
GitHub's customer agreement requires you to transfer the ownership of your organization to your business.
2 participants
Uh oh!
There was an error while loading. Please reload this page.