matrixfurry.com / homebrew-atomicxr
XR packaging for Fedora Atomic
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

update security docs

Signed-off-by: @matrixfurry.com <did:plc:zmjoeu3stwcn44647rhxa44o>

matrixfurry.com 48a8a2fc c43ec0d2

+66 -4
+1 -4
README.md
··· 46 46 This is caused by using Homebrew's GCC instead of Fedora's. Make sure Homebrew GCC is uninstalled and not a dependency. 47 47 48 48 ## Security ## 49 - Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com). 50 49 51 - > If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB). 52 - 53 - Do not report security issues on the issue tracker. 50 + See [@matrixfurry.com/SECURITY.md](https://tangled.org/strings/@matrixfurry.com/3m2igb2euyh22) or [SECURITY.md](./SECURITY.md).
+65
SECURITY.md
··· 1 + For the most up-to-date policy, please see [@matrixfurry.com/SECURITY.md](https://tangled.org/strings/@matrixfurry.com/3m2igb2euyh22). 2 + 3 + # Reporting 4 + Please report security issues via [SimpleX](https://smp18.simplex.im/a#Wc2x2IBqqwzgmeGkN0XtKrGMLBxFuxmoYgkTGgGgR0M) or [Email](mailto:shiloh@shilohfen.com). 5 + 6 + > If you want to send an encrypted email, my public key fingerprint is [DD7EB0BAA822169398828C45103DD5193B6A77CB](https://keys.openpgp.org/vks/v1/by-fingerprint/DD7EB0BAA822169398828C45103DD5193B6A77CB). 7 + 8 + Please do not report security issues on the project's issue tracker. 9 + 10 + # Commit signing 11 + 12 + Commit signing is optional but highly recommended. Once you make your first signed commit, all future commits must be signed. 13 + 14 + SSH signing is preferred over PGP signing. 15 + 16 + To enable signature verification, add your public key to your Tangled profile, and optionally the `.allowed_signers` file in the project's repo. 17 + 18 + ## Setup 19 + Replace `<YOUR_KEY>` with the SSH key or keyfile you'd like to use (eg. `~/.ssh/id_ed25519`). 20 + 21 + Git: 22 + ```sh 23 + git config --global gpg.format ssh 24 + git config --global user.signingkey <YOUR_KEY> 25 + git config --global commit.gpgsign true 26 + ``` 27 + 28 + Jujutsu: 29 + ```sh 30 + jj config set --user signing.behavior own 31 + jj config set --user signing.backend ssh 32 + jj config set --user signing.key <YOUR_KEY> 33 + ``` 34 + 35 + Add the public key to your Tangled profile at https://tangled.org/settings/keys 36 + 37 + Optionally, add your public key to the repo's `.allowed_signers` file: 38 + - Git: `echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 39 + - Jujutsu: `echo "$(jj config get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> .allowed_signers` 40 + 41 + ## Key Revocation 42 + Revoked keys are listed in `.revoked_keys` ([OpenSSH KRL](https://man.openbsd.org/ssh-keygen.1#KEY_REVOCATION_LISTS) format). Keys must never be reinstated or removed from this file. After a revocation, you must create a new key to continue contributing to the project. 43 + 44 + A key revocation must be signed by either: 45 + 1. The key being revoked 46 + - Anyone with access to the private key can create the revocation commit 47 + 48 + 2. A maintainer with proof of compromise 49 + - The maintainer must have significant evidence that the key has been compromised 50 + - The maintainer must attempt to reach out to the contributor to confirm 51 + - The commit message must provide details of why the key is being revoked 52 + 53 + ### Instructions 54 + 55 + Add the key to the `.revoked_keys` file: 56 + ```sh 57 + ssh-keygen -k -u -f .revoked_keys <PUBKEY.pub> 58 + ``` 59 + 60 + View the revoked keys: 61 + ```sh 62 + ssh-keygen -Q -l -f .revoked_keys 63 + ``` 64 + 65 + For more information, see the [ssh-keygen(1) manpage](https://man.openbsd.org/ssh-keygen.1#k)