Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Policy #755

Merged
merged 10 commits into from
Jan 18, 2025
+72 −6
Merged

Add Security Policy #755

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
cb1a380
Add Security Policy
niccokunzmann Dec 2, 2024
3d82cf4
Documentation improvements
niccokunzmann Dec 2, 2024
c8709f9
Add SECURITY.md file as recognized by GitHub
niccokunzmann Dec 2, 2024
3e08ad2
Use Plone's security policy
niccokunzmann Dec 21, 2024
5f69b2c
Update docs/security.rst
niccokunzmann Dec 21, 2024
e43536e
Update docs/security.rst
niccokunzmann Dec 21, 2024
0ec11d5
Apply suggestion for security policy, copied from Pylons
niccokunzmann Dec 23, 2024
02f6426
correct process of disclosure
niccokunzmann Dec 23, 2024
47f59d1
Merge branch 'main' into security
niccokunzmann Dec 23, 2024
0bcaf62
Merge branch 'main' into security
niccokunzmann Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGES.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Breaking changes:

New features:

- ...
- Add :ref:`Security Policy`

Bug fixes:

Expand Down
8 changes: 4 additions & 4 deletions CONTRIBUTING.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ For pull requests, keep this in mind

- Add a test which proves your fix and make it pass.

- Describe your change in CHANGES.rst
- Describe your change in ``CHANGES.rst``

- Add yourself to the docs/credits.rst
- Add yourself to the ``docs/credits.rst``

Development Setup
-----------------
Setup for Development
---------------------

If you would like to setup icalendar to
contribute changes, the `Installation Section
Expand Down
7 changes: 7 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Security Policy

Please find our [security policy in the documentation](https://icalendar.readthedocs.io/en/latest/security.html).

See also:

- [docs/security.rst](docs/security.rst)
4 changes: 3 additions & 1 deletion docs/conf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@
'sphinx.ext.autodoc',
'sphinx.ext.coverage',
'sphinx.ext.viewcode',
'sphinx_copybutton'
'sphinx_copybutton',
'sphinx.ext.intersphinx',
'sphinx.ext.autosectionlabel',
]
source_suffix = '.rst'
master_doc = 'index'
Expand Down
2 changes: 0 additions & 2 deletions docs/contributing.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
.. _contributing:

------------------
Contributing
------------------
Expand Down
1 change: 1 addition & 0 deletions docs/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ Contents
:titlesonly:

contributing
security
34 changes: 34 additions & 0 deletions docs/security.rst
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a security policy, see examples at:

It's really up to you what you want to include. If you have another revision after reviewing the above items, please @ me and I'll take another look. I'd suggest incorporating some bits and pieces from the above, especially how to work with CVEs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the links! I changed it to link to the Plone security page.

I will also write to the security team to ask if they have any feedback on this change.

Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
Security Policy
===============

This documents the security policy and actions to take to secure the security of the package, its deployment and use.
niccokunzmann marked this conversation as resolved.
Show resolved Hide resolved

Supported Versions
------------------

Security vulnerabilities are fixed only for the latest version of `icalendar`.
niccokunzmann marked this conversation as resolved.
Show resolved Hide resolved

.. list-table:: Versions to receive security updates
:widths: 25 25
:header-rows: 1

* - Version
- Supported
* - 6.*
- ✅
* - 5.*
- ❌
* - 4.*
- ❌
* - < 4.*
- ❌
niccokunzmann marked this conversation as resolved.
Show resolved Hide resolved


Reporting a Vulnerability
-------------------------

Please report any vulnerabilities you find on this project's
`Security Page <https://github.com/collective/icalendar/security>`_.
If you cannot do this, please contact one of the
:ref:`maintainers`
directly or open an issue.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should not ask people to open a security issue in a public arena, such as an issue tracker. This also conflicts with the link above, which links to https://plone.org/security/report.

If you want to create an email distribution group, and add members to it to review security, I'd suggest following Pylon Project's example as in https://groups.google.com/g/pylons-project-security/ or other free email group distribution list service that is less Google-y.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would opt for the GitHub process. This way, we do not need to maintain another list.

Loading