dev
Thread
Date
Earlier messages
Messages by Thread
[I] No Automatic Credential Revocation on Account Disable (tooling-trusted-releases)
via GitHub
[I] SSH Interface Lacks Rate Limiting for Write Operations (tooling-trusted-releases)
via GitHub
[I] API Models Lack Cross-Field Contextual Validation (tooling-trusted-releases)
via GitHub
[I] Optional Safe-Type URL Parameters Bypass Validation (tooling-trusted-releases)
via GitHub
[I] SBOM score_tool Uses previous_release_version in Path Without Validation (tooling-trusted-releases)
via GitHub
[I] Finish-Phase Operations Executable During Any Release Phase (tooling-trusted-releases)
via GitHub
[I] API Policy Update Bypasses Form-Level Business Validation (tooling-trusted-releases)
via GitHub
[I] Tar Archive Extraction Uses Explicitly Insecure Default Filter (tooling-trusted-releases)
via GitHub
[I] Thread ID Parameter Lacks Format Validation Before Server-Side Request (tooling-trusted-releases)
via GitHub
[I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases)
via GitHub
[I] HTTP Redirects Followed Without Target Domain Validation (tooling-trusted-releases)
via GitHub
[I] No SVG Sanitization Library or Function Exists in Codebase (tooling-trusted-releases)
via GitHub
[I] Form Fields Bypass Safe Type Validation (Multiple Instances) (tooling-trusted-releases)
via GitHub
[I] Unsandboxed render_string_sync API Allows Arbitrary Jinja2 Template Compilation (tooling-trusted-releases)
via GitHub
[I] Sequential Template Substitution Allows Variable Injection in Email Templates (tooling-trusted-releases)
via GitHub
[I] LDAP Filter Injection in Account Lookup Function (Multiple Files) (tooling-trusted-releases)
via GitHub
[I] User Input Used Directly as RegExp Without Escaping in Project Directory Filter (tooling-trusted-releases)
via GitHub
[I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases)
via GitHub
[I] Missing URL Protocol Validation for Third-Party Distribution URLs Rendered in HTML (tooling-trusted-releases)
via GitHub
[I] SSH Host Key Generated with RSA 2048-bit (~112 bits of security) (tooling-trusted-releases)
via GitHub
[I] No Validation of Uploaded OpenPGP Key Cryptographic Strength (tooling-trusted-releases)
via GitHub
[I] Distribution Operations Have No Audit Logging (tooling-trusted-releases)
via GitHub
[I] Git Clone Operations Without Network Timeout (tooling-trusted-releases)
via GitHub
[I] Missing Centralized Documentation of Resource-Intensive Operations (tooling-trusted-releases)
via GitHub
[I] Archive Extraction Size Tracking Reset by Metadata Files (tooling-trusted-releases)
via GitHub
[I] Unbounded Directory Traversal and File Hashing in Signature Provenance Endpoint (tooling-trusted-releases)
via GitHub
[I] rsync Subprocess Execution Without Timeout (tooling-trusted-releases)
via GitHub
[I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases)
via GitHub
[I] ALLOW_TESTS Flag Enables Complete Authentication Bypass in Production Worker (tooling-trusted-releases)
via GitHub
[I] Missing Project-Level Access Control on Multiple GET Endpoints (tooling-trusted-releases)
via GitHub
[I] Admin Token Revocation Does Not Terminate User Web Sessions (tooling-trusted-releases)
via GitHub
[I] IDOR in Check Ignore Operations via Numeric ID (tooling-trusted-releases)
via GitHub
[I] IDOR on check_id in Check Result Data Endpoint (tooling-trusted-releases)
via GitHub
[I] OAuth Authentication Does Not Terminate Prior Session Token (tooling-trusted-releases)
via GitHub
[I] No Session Termination After PAT Deletion or Creation (tooling-trusted-releases)
via GitHub
[I] Documented Rate Limits Missing on Multiple API Endpoints (tooling-trusted-releases)
via GitHub
[I] SBOM Task Functions Use File Paths Without Containment Validation (tooling-trusted-releases)
via GitHub
[I] Vote Resolution Phase Transitions Lack Optimistic Locking (tooling-trusted-releases)
via GitHub
[I] Upload Staging Endpoint Ignores Authentication Context (tooling-trusted-releases)
via GitHub
[I] State-Changing API Endpoints Lack Per-Endpoint Rate Limits (tooling-trusted-releases)
via GitHub
[I] Release Vote Logic Validation Always Passes Due to Catch-All Pattern (tooling-trusted-releases)
via GitHub
[I] Missing Phase Validation in Vote Start Flow (tooling-trusted-releases)
via GitHub
[I] Trusted Publishing Cross-Field Validation Bypassed Via Web Form (tooling-trusted-releases)
via GitHub
[I] Unsanitized Markdown-to-HTML Conversion Allows Stored XSS in SBOM Vulnerability Descriptions (tooling-trusted-releases)
via GitHub
[I] Vote Policy Form Bypasses Minimum Hours Range Check (tooling-trusted-releases)
via GitHub
[I] OpenPGP Key Management Entirely Lacks Audit Logging (tooling-trusted-releases)
via GitHub
[I] Committee Key Bulk Deletion Bypasses Storage Layer and Audit (tooling-trusted-releases)
via GitHub
[I] Admin User Impersonation Has No Audit Trail (tooling-trusted-releases)
via GitHub
[I] No Global Anti-Caching Middleware (Architectural Gap) (tooling-trusted-releases)
via GitHub
[I] Admin Environment Variable Endpoint Exposes All Secrets Without Redaction (tooling-trusted-releases)
via GitHub
[I] SVN Operations Disable TLS Certificate Verification (Supply Chain Risk) (tooling-trusted-releases)
via GitHub
[I] Key-Committee Association Bypasses Storage Layer Authorization (tooling-trusted-releases)
via GitHub
[I] Global Session Validation Hook Checks Age But Not Account Status (tooling-trusted-releases)
via GitHub
[I] SSH Authentication Completely Bypasses LDAP Account Status Checks (tooling-trusted-releases)
via GitHub
[PR] Bump actions/cache from 5.0.3 to 5.0.4 (tooling-trusted-releases)
via GitHub
[PR] Bump pygments from 2.19.2 to 2.20.0 (tooling-releases-client)
via GitHub
[PR] Bump actions/cache from 4.2.0 to 5.0.4 (tooling-actions)
via GitHub
[PR] Bump actions/cache from 5.0.3 to 5.0.4 (tooling-releases-client)
via GitHub
[PR] Possible LDAP implementation for review (tooling-trusted-releases)
via GitHub
[I] Starting server with env var for expected secret crashes server (tooling-trusted-releases)
via GitHub
[PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases)
via GitHub
Re: [PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases)
via GitHub
Re: [PR] Bump cryptography from 46.0.5 to 46.0.6 (tooling-trusted-releases)
via GitHub
[I] Improve vote counting algorithm (tooling-trusted-releases)
via GitHub
Re: [I] Improve vote counting algorithm (tooling-trusted-releases)
via GitHub
Re: [I] Bugs in vote counting algorithm (tooling-trusted-releases)
via GitHub
[PR] DRAFT: #931 - moving file planner to compose phase (tooling-trusted-releases)
via GitHub
Re: [PR] DRAFT: moving file planner to compose phase (tooling-trusted-releases)
via GitHub
[PR] Audit docs, code, and reports (tooling-agents)
via GitHub
Re: [PR] Audit docs, code, and reports (tooling-agents)
via GitHub
[I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases)
via GitHub
Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases)
via GitHub
Re: [I] LDAP state in dev/debug/test modes and users (tooling-trusted-releases)
via GitHub
[I] Remove stict checking (tooling-trusted-releases)
via GitHub
Re: [I] Remove strict checking (tooling-trusted-releases)
via GitHub
Re: [I] Remove strict checking (tooling-trusted-releases)
via GitHub
[PR] #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
[GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
[GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
[GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
[GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
[GH] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
Re: [PR] Not for merging (yet) #901 - add support for XML in sbom tooling (tooling-trusted-releases)
via GitHub
Re: [I] Add a cancellation vote resolution option (tooling-trusted-releases)
via GitHub
Re: [I] Add a cancellation vote resolution option (tooling-trusted-releases)
via GitHub
[I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases)
via GitHub
Re: [I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases)
via GitHub
Re: [I] Add a countdown timer till the end of the vote on the vote page (tooling-trusted-releases)
via GitHub
[I] Update Pygments when a fix for CVE-2026-4539 is available (tooling-trusted-releases)
via GitHub
[I] Allow private vote threads to be tallied (tooling-trusted-releases)
via GitHub
Re: [I] Allow private vote threads to be tallied (tooling-trusted-releases)
via GitHub
[VOTE] Release Tooling 0.3b
sbp
[VOTE] Release Tooling 0.3a
sbp
[I] Supporting Erlang distribution channel (tooling-trusted-releases)
via GitHub
[I] Committee release catalog schema and model complete (tooling-trusted-releases)
via GitHub
[I] Update start release form to incorporate project cycles (tooling-trusted-releases)
via GitHub
[I] Project schema and models complete (tooling-trusted-releases)
via GitHub
[I] Finish feature complete (tooling-trusted-releases)
via GitHub
[I] Require passing vote and time period before allowing vote completion (tooling-trusted-releases)
via GitHub
Re: [I] Require passing vote and time period before allowing vote completion (tooling-trusted-releases)
via GitHub
[I] Vote feature complete (tooling-trusted-releases)
via GitHub
[I] Move file planner UX to compose phase (tooling-trusted-releases)
via GitHub
Re: [I] Move file planner UX to compose phase (tooling-trusted-releases)
via GitHub
Re: [I] Move file planner UX to compose phase (tooling-trusted-releases)
via GitHub
Re: [I] Move file planner UX to compose phase (tooling-trusted-releases)
via GitHub
[I] Compose feature complete (tooling-trusted-releases)
via GitHub
[PR] Bump astral-sh/setup-uv from 7.3.1 to 7.6.0 (tooling-trusted-releases)
via GitHub
Re: [PR] Bump astral-sh/setup-uv from 7.3.1 to 7.6.0 (tooling-trusted-releases)
via GitHub
[PR] Bump biomejs/setup-biome from 2.7.0 to 2.7.1 (tooling-trusted-releases)
via GitHub
Re: [PR] Bump biomejs/setup-biome from 2.7.0 to 2.7.1 (tooling-trusted-releases)
via GitHub
[PR] Bump astral-sh/setup-uv from 6.4.3 to 7.6.0 (tooling-releases-client)
via GitHub
[PR] #910 - emails support CC and BCC, and enum for footer to be appended. (tooling-trusted-releases)
via GitHub
Re: [PR] #910 - emails support CC and BCC, and enum for footer to be appended. (tooling-trusted-releases)
via GitHub
[I] Improve use of secrets (tooling-actions)
via GitHub
Re: [I] Improve use of secrets (tooling-actions)
via GitHub
Re: [I] Improve use of secrets (tooling-actions)
via GitHub
Re: [I] Improve use of secrets (tooling-actions)
via GitHub
Re: [I] Improve use of secrets (tooling-actions)
via GitHub
[PR] Bump actions/setup-java from 5.1.0 to 5.2.0 (tooling-actions)
via GitHub
Re: [PR] Bump actions/setup-java from 5.1.0 to 5.2.0 (tooling-actions)
via GitHub
[I] Recommend upload api steps (tooling-trusted-releases)
via GitHub
Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases)
via GitHub
Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases)
via GitHub
Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases)
via GitHub
Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases)
via GitHub
Re: [I] Review Maven ATR plugin and make recommendations (tooling-trusted-releases)
via GitHub
[PR] Bump actions/checkout from 4.2.2 to 6.0.2 (tooling-actions)
via GitHub
Re: [PR] Bump actions/checkout from 4.2.2 to 6.0.2 (tooling-actions)
via GitHub
[PR] Bump actions/setup-python from 5.4.0 to 6.2.0 (tooling-actions)
via GitHub
Re: [PR] Bump actions/setup-python from 5.4.0 to 6.2.0 (tooling-actions)
via GitHub
[PR] protect main branch against force push and delete (tooling-actions)
via GitHub
Re: [PR] protect main branch against force push and delete (tooling-actions)
via GitHub
Re: [PR] protect main branch against force push and delete (tooling-actions)
via GitHub
Re: [PR] protect main branch against force push and delete (tooling-actions)
via GitHub
Re: [I] Abandon announcement actions if there is any problem (tooling-trusted-releases)
via GitHub
Re: [I] Abandon announcement actions if there is any problem (tooling-trusted-releases)
via GitHub
Re: [I] Abandon announcement actions if there is any problem (tooling-trusted-releases)
via GitHub
[I] Ensure that at least one archive is classified as source in path checks (tooling-trusted-releases)
via GitHub
Re: [I] Ensure that at least one archive is classified as source in path checks (tooling-trusted-releases)
via GitHub
Re: [I] Remove artifact path policy fields from project form (tooling-trusted-releases)
via GitHub
Re: [I] Remove artifact path policy fields from project form (tooling-trusted-releases)
via GitHub
[PR] Remove artifacts paths from project compose form (tooling-trusted-releases)
via GitHub
Re: [PR] Remove artifacts paths from project compose form (tooling-trusted-releases)
via GitHub
Re: [PR] Remove artifacts paths from project compose form (tooling-trusted-releases)
via GitHub
[I] Add `docs` as a new file classification (tooling-trusted-releases)
via GitHub
Re: [I] Add `docs` as a new file classification (tooling-trusted-releases)
via GitHub
Re: [I] Add `docs` as a new file classification (tooling-trusted-releases)
via GitHub
Re: [I] Move Trusted Publishing configuration into its own section (tooling-trusted-releases)
via GitHub
Re: [I] Move Trusted Publishing configuration into its own section (tooling-trusted-releases)
via GitHub
Re: [I] Move Trusted Publishing configuration into its own section (tooling-trusted-releases)
via GitHub
[PR] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[GH] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[GH] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[GH] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[GH] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[GH] Invalidate SSH keys (tooling-trusted-releases)
via GitHub
[I] Define yaml/json format api for project metadata, cycle, and policy settings (tooling-trusted-releases)
via GitHub
[I] Reorganize committee page (tooling-trusted-releases)
via GitHub
Re: [I] Reorganize committee page (tooling-trusted-releases)
via GitHub
[I] Committee page seeing keys buttons when not a PMC member (tooling-trusted-releases)
via GitHub
Re: [I] Committee page seeing keys buttons when not a PMC member (tooling-trusted-releases)
via GitHub
[I] Committees page allow four up cards (tooling-trusted-releases)
via GitHub
Re: [I] Committees page allow four up cards (tooling-trusted-releases)
via GitHub
[I] Project page reorganization (tooling-trusted-releases)
via GitHub
Re: [PR] Github TP Payload validation (tooling-trusted-releases)
via GitHub
Re: [PR] Github TP Payload validation (tooling-trusted-releases)
via GitHub
Re: [PR] Github TP Payload validation (tooling-trusted-releases)
via GitHub
[I] Anonymous emails come back from lists.a.o (tooling-trusted-releases)
via GitHub
Re: [I] Anonymous emails come back from lists.a.o (tooling-trusted-releases)
via GitHub
[I] safe.Path type (tooling-trusted-releases)
via GitHub
Re: [I] safe.Path type (tooling-trusted-releases)
via GitHub
[I] Lifecycle event model (tooling-trusted-releases)
via GitHub
Re: [I] Lifecycle event model (tooling-trusted-releases)
via GitHub
[I] Project reference metadata (tooling-trusted-releases)
via GitHub
Re: [I] Project reference metadata (tooling-trusted-releases)
via GitHub
Re: [I] Project reference metadata (tooling-trusted-releases)
via GitHub
Re: [I] Project reference metadata (tooling-trusted-releases)
via GitHub
[I] Project cycle schema (tooling-trusted-releases)
via GitHub
Re: [I] Do not allow keys to be deleted if they have been used to sign a release (tooling-trusted-releases)
via GitHub
[I] Artifact catalog schema (tooling-trusted-releases)
via GitHub
[I] Added features to email Message class in `atr/mail.py` (tooling-trusted-releases)
via GitHub
Re: [I] Added features to email Message class in `atr/mail.py` (tooling-trusted-releases)
via GitHub
Re: [I] Added features to email Message class in `atr/mail.py` (tooling-trusted-releases)
via GitHub
[PR] Adding OAuth docs (tooling-trusted-releases)
via GitHub
Re: [PR] Adding OAuth docs (tooling-trusted-releases)
via GitHub
Re: [PR] Adding OAuth docs (tooling-trusted-releases)
via GitHub
Re: [PR] Record check version in the database (tooling-trusted-releases)
via GitHub
Re: [PR] Record check version in the database (tooling-trusted-releases)
via GitHub
Re: [PR] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
[GH] Record check version in the database (tooling-trusted-releases)
via GitHub
Re: [I] Add Clear-Site-Data header and client-side storage clearing on logout (ASVS 14.3.1) (tooling-trusted-releases)
via GitHub
Re: [I] Add Clear-Site-Data header and client-side storage clearing on logout (ASVS 14.3.1) (tooling-trusted-releases)
via GitHub
Earlier messages