From b4d038878518b7cba3221a87a1110604834d497c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 3 Nov 2016 14:10:38 -0400 Subject: [PATCH 1/4] move security verification to support section the rationale is to simplify the README file to the bare minimum. security researchers will be able to find the contact information if they look minimally and people installing the software will find a link where relevant (in binary releases only, since all the others have other trust paths) --- README.rst | 16 ---------------- docs/installation.rst | 3 +++ docs/support.rst | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/README.rst b/README.rst index 5044bc4e6..af05ff04f 100644 --- a/README.rst +++ b/README.rst @@ -113,22 +113,6 @@ Now doing another backup, just to show off the great deduplication: For a graphical frontend refer to our complementary project `BorgWeb `_. -Checking Release Authenticity and Security Contact --------------------------------------------------- - -`Releases `_ are signed with this GPG key, -please use GPG to verify their authenticity. - -In case you discover a security issue, please use this contact for reporting it privately -and please, if possible, use encrypted E-Mail: - -Thomas Waldmann - -GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 - -The public key can be fetched from any GPG keyserver, but be careful: you must -use the **full fingerprint** to check that you got the correct key. - Links ----- diff --git a/docs/installation.rst b/docs/installation.rst index 523f43cdb..ff5cf7d1a 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -64,6 +64,9 @@ and compare that to our latest release and review the :doc:`changes`. Standalone Binary ----------------- +.. note:: Releases are signed with an OpenPGP key, see + :ref:`security-contact` for more instructions. + |project_name| binaries (generated with `pyinstaller`_) are available on the releases_ page for the following platforms: diff --git a/docs/support.rst b/docs/support.rst index 9d64621fc..5ee34de96 100644 --- a/docs/support.rst +++ b/docs/support.rst @@ -56,3 +56,21 @@ As a developer, you can become a Bounty Hunter and win bounties (earn money) by contributing to |project_name|, a free and open source software project. We might also use BountySource to fund raise for some bigger goals. + +.. _security-contact: + +Security +-------- + +In case you discover a security issue, please use this contact for reporting it privately +and please, if possible, use encrypted E-Mail: + +Thomas Waldmann + +GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 + +The public key can be fetched from any GPG keyserver, but be careful: you must +use the **full fingerprint** to check that you got the correct key. + +`Releases `_ are signed with this GPG key, +please use GPG to verify their authenticity. From 19ae2a78701091aaa9df048f9f589ffd234c8653 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Fri, 4 Nov 2016 10:28:53 -0400 Subject: [PATCH 2/4] add FAQ about security --- docs/faq.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 3622b3cf7..49b837a12 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -203,6 +203,13 @@ Thus: - have media at another place - have a relatively recent backup on your media +How do I report security issue with |project_name|? +--------------------------------------------------- + +Send a private email to the :ref:`security-contact` if you think you +have discovered a security issue. Please disclose security issues +responsibly. + Why do I get "connection closed by remote" after a while? --------------------------------------------------------- From 0cda9d6bd31f767cdb9026ccd585bc979b29548e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Fri, 4 Nov 2016 10:31:27 -0400 Subject: [PATCH 3/4] add link to security contact in README --- README.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.rst b/README.rst index af05ff04f..e7f892c7b 100644 --- a/README.rst +++ b/README.rst @@ -137,6 +137,9 @@ NOT RELEASED DEVELOPMENT VERSIONS HAVE UNKNOWN COMPATIBILITY PROPERTIES. THIS IS SOFTWARE IN DEVELOPMENT, DECIDE YOURSELF WHETHER IT FITS YOUR NEEDS. +Security issues should be reported to the :ref:`security-contact` (or +see ``docs/suppport.rst`` in the source distribution). + |doc| |build| |coverage| |bestpractices| .. |doc| image:: https://readthedocs.org/projects/borgbackup/badge/?version=stable From 319ecd81bb74788d135c89e844409598f05a270c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Fri, 4 Nov 2016 11:26:02 -0400 Subject: [PATCH 4/4] fix links in standalone README github and standalone docutils don't parse :ref: tags correctly --- README.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index e7f892c7b..2c407c1d3 100644 --- a/README.rst +++ b/README.rst @@ -126,6 +126,7 @@ Links * `Web-Chat (IRC) `_ and `Mailing List `_ * `License `_ +* `Security contact `_ Compatibility notes ------------------- @@ -137,7 +138,7 @@ NOT RELEASED DEVELOPMENT VERSIONS HAVE UNKNOWN COMPATIBILITY PROPERTIES. THIS IS SOFTWARE IN DEVELOPMENT, DECIDE YOURSELF WHETHER IT FITS YOUR NEEDS. -Security issues should be reported to the :ref:`security-contact` (or +Security issues should be reported to the `Security contact`_ (or see ``docs/suppport.rst`` in the source distribution). |doc| |build| |coverage| |bestpractices|