matrixfurry.com / atomic-xr
XR for Universal Blue and Fedora Atomic Desktops
vr fedora-atomic linux
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

docs: update security policy

Signed-off-by: @matrixfurry.com <did:plc:zmjoeu3stwcn44647rhxa44o>

matrixfurry.com c1620cd3 7f773995

+66 -4
+1 -4
README.md
··· 77 77 See the [AtomicXR Homebrew Tap](https://tangled.sh/@matrixfurry.com/homebrew-atomicxr) for a list of plugins you can install. 78 78 79 79 ## Security ## 80 - Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com). 81 80 82 - > If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB). 83 - 84 - Do not report security issues on the issue tracker. 81 + See [@matrixfurry.com/SECURITY.md](https://tangled.org/strings/@matrixfurry.com/3m2igb2euyh22) or [SECURITY.md](./SECURITY.md). 85 82 86 83 ## Support ## 87 84
+65
SECURITY.md
··· 1 + For the most up-to-date policy, please see [@matrixfurry.com/SECURITY.md](https://tangled.org/strings/@matrixfurry.com/3m2igb2euyh22). 2 + 3 + # Reporting 4 + Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com). 5 + 6 + > If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB). 7 + 8 + Please do not report security issues on the project's issue tracker. 9 + 10 + # Commit signing 11 + 12 + Commit signing is optional but highly recommended. Once you make your first signed commit, all future commits must be signed. 13 + 14 + SSH signing is preferred over PGP signing. 15 + 16 + To enable signature verification, add your public key to your Tangled profile, and optionally the `.allowed_signers` file in the project's repo. 17 + 18 + ## Setup 19 + Replace `<YOUR_KEY>` with the SSH key or keyfile you'd like to use (eg. `~/.ssh/id_ed25519`). 20 + 21 + Git: 22 + ```sh 23 + git config --global gpg.format ssh 24 + git config --global user.signingkey <YOUR_KEY> 25 + git config --global commit.gpgsign true 26 + ``` 27 + 28 + Jujutsu: 29 + ```sh 30 + jj config set --user signing.behavior own 31 + jj config set --user signing.backend ssh 32 + jj config set --user signing.key <YOUR_KEY> 33 + ``` 34 + 35 + Add the public key to your Tangled profile at https://tangled.org/settings/keys 36 + 37 + Optionally, add your public key to the repo's `.allowed_signers` file: 38 + - Git: `echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 39 + - Jujutsu: `echo "$(jj config get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 40 + 41 + ## Key Revocation 42 + Revoked keys are listed in `.revoked_keys` ([OpenSSH KRL](https://man.openbsd.org/ssh-keygen.1#KEY_REVOCATION_LISTS) format). Keys must never be reinstated or removed from this file. After a revocation, you must create a new key to continue contributing to the project. 43 + 44 + A key revocation must be signed by either: 45 + 1. The key being revoked 46 + - Anyone with access to the private key can create the revocation commit 47 + 48 + 2. A maintainer with proof of compromise 49 + - The maintainer must have significant evidence that the key has been compromised 50 + - The maintainer must attempt to reach out to the contributor to confirm 51 + - The commit message must provide details of why the key is being revoked 52 + 53 + ### Instructions 54 + 55 + Add the key to the `.revoked_keys` file: 56 + ```sh 57 + ssh-keygen -k -u -f .revoked_keys <PUBKEY.pub> 58 + ``` 59 + 60 + View the revoked keys: 61 + ```sh 62 + ssh-keygen -Q -l -f .revoked_keys 63 + ``` 64 + 65 + For more information, see the [ssh-keygen(1) manpage](https://man.openbsd.org/ssh-keygen.1#k)