Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security.txt expires date #2332

Closed
4 tasks done
Tealk opened this issue Jan 18, 2024 · 4 comments · Fixed by #2334
Closed
4 tasks done

security.txt expires date #2332

Tealk opened this issue Jan 18, 2024 · 4 comments · Fixed by #2334
Labels
bug Something isn't working

Comments

@Tealk
Copy link

Tealk commented Jan 18, 2024
edited
Loading

Requirements

  • This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
  • Please check to see if this issue already exists.
  • It's a single bug. Do not report multiple bugs in one issue.
  • It's a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

the date would have to be adjusted:
https://github.com/LemmyNet/lemmy-ui/blob/main/src/server/handlers/security-handler.ts#L14

Lemmy Instance Version

0.19.2

Lemmy Instance URL

https://rollenspiel.forum/
@Tealk Tealk added the bug Something isn't working label Jan 18, 2024
@Nutomic
Copy link
Member

Nutomic commented Jan 19, 2024
edited
Loading

Does that endpoint even make sense in this way? Most admins are probably not aware of it, and dont configure these email addresses. If anything the email should be provided through an env var, and if none is provided then no security.txt is served. The expires field is documented here. I guess we could auto-generate a date one year in the future, but thats completely arbitrary so maybe it should also be supplied via env.

To be honest I would rather remove the security.txt entirely and leave it to instance admins to serve their own via nginx.

@Tealk
Copy link
Author

Tealk commented Jan 19, 2024

Reading the mail address from .env makes sense, because the ones given there do not exist for me either.

I would continue to offer the file, because security problems are more likely to be reported in the project via Contact: mailto:[email protected] or the repo here instead of the admin who offers the service. Most of them will not be able to fix much of it in the lemmy code.

@Nutomic
Copy link
Member

Nutomic commented Jan 19, 2024

The Lemmy footer has a link to the source code which has a way to report security issues. There is also a link to join-lemmy.org which lists additional contact methods. So I dont think the email is necessary, Im not even sure if its working or if anyone ever used it.

cc @dessalines

@Tealk
Copy link
Author

Tealk commented Jan 19, 2024

Line 7 could then also be changed to:

`Contact: https://github.com/LemmyNet/lemmy-ui/security/advisories/new

dessalines added a commit that referenced this issue Jan 19, 2024
@dessalines
Changing security.txt to use github security advisories page.
1a33cd0 
- Fixes #2332
@dessalines dessalines mentioned this issue Jan 19, 2024
Merged
SleeplessOne1917 added a commit that referenced this issue Feb 16, 2024
@dessalines @SleeplessOne1917
Changing security.txt to use github security advisories page. (#2334)
1ff4acc 
* Changing security.txt to use github security advisories page.

- Fixes #2332

* Adding an expires date, one year from build date.

* Add a year to the build date in code.

* Fix dev.dockerfile build date.

---------

Co-authored-by: SleeplessOne1917 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Changing security.txt to use github security advisories page. LemmyNet/lemmy-ui
2 participants
@Nutomic @Tealk