[tor-bugs] #25131 [Webpages/Website]: Sign security.txt

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 3 01:50:33 UTC 2018 

#25131: Sign security.txt
------------------------------+----------------------------------
 Reporter:  teor              |          Owner:  (none)
     Type:  enhancement       |         Status:  new
 Priority:  Medium            |      Milestone:  website redesign
Component:  Webpages/Website  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+----------------------------------

Comment (by teor):

 Replying to [comment:4 traumschule]:
 > This got merge although the links in [https://torproject.org/.well-
 known/security.txt security.txt] do not yet point to useful information,
 also it is missing a signature.
 > * Policy: the current [[org/teams/NetworkTeam/SecurityPolicy|security
 policy]] is a draft and should be published in a (signed) blog post
 (#5489) and linked from https://torproject.org/about/contact#security

 That's not the Tor Project's security policy. It's the network team
 security policy.

 We need to work out a security policy that covers all of Tor first:
 See https://trac.torproject.org/projects/tor/ticket/13968#comment:27

 Please open another ticket for this issue.

 > * Signature: File is missing. Should it be signed with the
 deb.torproject.org archive signing key
 (8B904624C5A28654E4539BC2E135A8B41A7BF184)?

 I don't understand what the Debian archive has to do with the security
 policy.
 I suggest we use the tor-security list key, or some other key that many
 people trust.

 Also, how did this patch get merged without a signature?
 Please open a ticket to remove the signature line, because it looks
 broken.

 Then, please open a ticket to get it signed.
 (Please don't change the titles of tickets to a different task, that's
 confusing. And integers are cheap.)

 > * Hiring: it could help the Torproject to always have an open position
 for security researchers

 Tor security researchers typically work for universities or similar
 organisations, or are freelance, or are volunteers.
 Since we don't have open security-related jobs, please open a ticket to
 remove the hiring line.

 Also, Tor doesn't always have positions open in any category.

 Changing this part of Tor is best done by talking to HR, the executive
 director, or the affected teams. It really isn't a good topic for a trac
 ticket.

 > Who's willing to adopt this ticket?

 If you open separate tickets for each task, different people might adopt
 those tasks.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25131#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list