dev  

Messages by Date

• 2026/03/04 Re: [I] Add explicit charset to JSON and text response helpers (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Add explicit charset to JSON and text response helpers (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Add explicit charset to JSON and text response helpers (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Create centralized input validation documentation (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Create centralized input validation documentation (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 [PR] Add explicit charset (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Create centralized input validation documentation (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Document approved cryptographic algorithms for the project (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Document pip-audit CVE exception/suppression process (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Vote resolved date is not set (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Vote resolved date is not set (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Add a quarantined validation period after uploading and before checks are started (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Add a quarantined validation period after uploading and before checks are started (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Vote resolved date is not set (tooling-trusted-releases) via GitHub
• 2026/03/04 Re: [I] Consider improving logging (tooling-trusted-releases) via GitHub
• 2026/03/04 [I] Vote resolved date is not set (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Improve error reporting when /resolve/tabulated data is unavailable (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Document how to provide a groupId for Maven (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Require two approvals for important actions (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] promote uploading via GHA (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] promote uploading via GHA (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Use Mailpit to improve email tests (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Prevent the reuse of detached session objects in database commit contexts (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Improve error reporting when /resolve/tabulated data is unavailable (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Make all client responses JSON by default (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Make all client responses JSON by default (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Make all client responses JSON by default (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Regular root file gets reported as directory when `targz.structure` fails (tooling-trusted-releases) via GitHub
• 2026/03/03 [I] Regular root file gets reported as directory when `targz.structure` fails (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Validate against CR/LF characters in HTTP header values (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Validate no CR/LF in http header values (tooling-trusted-releases) via GitHub
• 2026/03/03 [PR] Validate no CR/LF in http header values (tooling-trusted-releases) via GitHub
• 2026/03/03 [GH] Adding Cache-Control params; fixes #788 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Prefix and formatting for LLM audit comments (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Check XML parsing to prevent XXE attacks (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Check XML parsing to prevent XXE attacks (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Check XML parsing to prevent XXE attacks (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Path traversal in storage layer `delete_file` and `generate_hash_file` (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Path traversal in storage layer `delete_file` and `generate_hash_file` (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comments for SVN upload sizes; fixes #718 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comments for SVN upload sizes; fixes #718 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 [I] Document ATR disk layout and size requirements (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] File type validation on upload through web browser (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] File type validation on upload through web browser (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding Cache-Control params; fixes #788 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] ShellResponse and JWT endpoint missing Content-Disposition headers (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Implement Sec-Fetch-* header validation middleware (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Validate sec-fetch headers (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Validate sec-fetch headers (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Move hardcoded committee membership to external configuration (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Remove hardcoded tooling users (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comments for SVN upload sizes; fixes #718 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comments for SVN upload sizes; fixes #718 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add content size limits to SVN import (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Satisfy ASVS #786 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Satisfy ASVS #786 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add Origin header validation for API endpoints (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Add Origin header validation for API endpoints (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] #656 - add check_access to remaining handlers (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Use accurate Content-Type for file downloads instead of generic application/octet-stream (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Fix Content-Type mismatch — JSON returned as text/plain in /result/data endpoint (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comment about data display; fixes #711 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comment for confirm dialog; fixes #767 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding a comment about octet-stream; fixes #714 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Refactor confirm dialog from inline JavaScript to data attributes (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [PR] Adding comment for vote email validation; fixes #773 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] Vote email body construction lacks input sanitization (tooling-trusted-releases) via GitHub
• 2026/03/03 [GH] Adding Cache-Control params; fixes #788 (tooling-trusted-releases) via GitHub
• 2026/03/03 Re: [I] IDOR in distribution delete — missing `check_access()` and form/URL parameter mismatch (tooling-trusted-releases) via GitHub
• 2026/03/03 [PR] #656 - add check_access to remaining handlers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Consider improving logging (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding comment about data display; fixes #711 (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding a comment about octet-stream; fixes #714 (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding comment for confirm dialog; fixes #767 (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding comment for vote email validation; fixes #773 (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding comments for SVN upload sizes; fixes #718 (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Adding Cache-Control params; fixes #788 (tooling-trusted-releases) via GitHub
• 2026/03/02 [I] Audit guidance tests (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Prefix and formatting for LLM audit comments (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Prefix and formatting for LLM audit comments (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases) via GitHub
• 2026/03/02 [GH] Validate sec-fetch headers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Prefix and formatting for LLM audit comments (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Remove hardcoded tooling users (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Logout is accessible via GET, enabling forced-logout attacks (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] Satisfy ASVS #786 (tooling-trusted-releases) via GitHub
• 2026/03/02 [GH] #344 - instructions on how to upload via GitHub Actions (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Fix manual vote resolution configuration (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add Origin header validation for API endpoints (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add CSP sandbox directive for directory listing responses (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add CSP sandbox directive for directory listing responses (tooling-trusted-releases) via GitHub
• 2026/03/02 [I] Rework or remove the published endpoint (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add CSP sandbox directive for directory listing responses (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add CSP sandbox directive for directory listing responses (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Manual vote resolution bypasses required vote verification (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] #344 - instructions on how to upload via GitHub Actions (tooling-trusted-releases) via GitHub
• 2026/03/02 [I] Links on main docs page missing `docs/` (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Links on main docs page missing `docs/` (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Links on main docs page missing `docs/` (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Allow released files to be read more widely (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Add has post access check for controls for committers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Validate sec-fetch headers (tooling-trusted-releases) via GitHub
• 2026/03/02 [GH] Validate sec-fetch headers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Review permissions for all actions in ATR (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Review permissions for all actions in ATR (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] `/admin/test` performs state-changing write via GET request (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Remove unnecessary test endpoint (tooling-trusted-releases) via GitHub
• 2026/03/02 [GH] #344 - instructions on how to upload via GitHub Actions (tooling-trusted-releases) via GitHub
• 2026/03/02 [GH] #344 - instructions on how to upload via GitHub Actions (tooling-trusted-releases) via GitHub
• 2026/03/02 [PR] #344 - instructions on how to upload via GitHub Actions (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Apply URL encoding to distribution platform API URL parameters (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add protocol validation for external vulnerability URLs in SBOM display (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Ensure that tasks themselves are cached as well as task results (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Implement authentication failure logging (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Preserve the history of configuration options that affect attestations (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Add check access controls for committers (tooling-trusted-releases) via GitHub
• 2026/03/02 [I] Allow released files to be read more widely (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Add check access controls for committers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Add a mode for admins to browse as themselves with no admin permissions (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Drop admin privileges (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Distribution data model uses lax schema allowing extra fields (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Add check access controls for committers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases) via GitHub
• 2026/03/02 Re: [PR] Drop admin privileges (tooling-trusted-releases) via GitHub
• 2026/03/01 Re: [I] Add release manager storage permissions (tooling-trusted-releases) via GitHub
• 2026/03/01 Re: [I] Add release manager storage permissions (tooling-trusted-releases) via GitHub
• 2026/03/01 Re: [I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases) via GitHub
• 2026/03/01 [PR] Add check access controls for committers (tooling-trusted-releases) via GitHub
• 2026/03/01 Re: [I] Missing `session.check_access()` in multiple route handlers (tooling-trusted-releases) via GitHub
• 2026/03/01 Re: [I] Invalidate authorization cache and session file cache on logout/session termination (tooling-trusted-releases) via GitHub
• 2026/02/28 Re: [I] Logout is accessible via GET, enabling forced-logout attacks (tooling-trusted-releases) via GitHub
• 2026/02/28 Re: [PR] Fix manual vote resolution configuration (tooling-trusted-releases) via GitHub
• 2026/02/28 [PR] Fix manual vote resolution configuration (tooling-trusted-releases) via GitHub
• 2026/02/28 Re: [I] Manual vote resolution bypasses required vote verification (tooling-trusted-releases) via GitHub
• 2026/02/28 Re: [I] Preserve the history of configuration options that affect attestations (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Setup svn credentials to commit to dist/release (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Setup svn credentials to commit to dist/release (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Add CSP sandbox directive for directory listing responses (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Make CSRF token required in Form base class (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Test whether `quart_wtf` works (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Test whether `csrf: str` works (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Test whether `csrf: str` works (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Test whether `quart_wtf` works (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Verify CSRF coverage for `@post.empty()` decorated endpoints (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] ShellResponse and JWT endpoint missing Content-Disposition headers (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Add Origin header validation for API endpoints (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Implement Sec-Fetch-* header validation middleware (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Move test routes to a separate blueprint (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] `/test/login` performs session creation via GET request (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Logout is accessible via GET, enabling forced-logout attacks (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] `/admin/test` performs state-changing write via GET request (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Pagination validation only checks upper bound (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Upload file path validation bypass when file_name parameter is provided (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] JWT subject (ASF UID) lacks format validation (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Create centralized input validation documentation (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Distribution data model uses lax schema allowing extra fields (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Email validation insufficient across codebase (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Vote content fields lack length and content validation (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Also check for null bytes (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Vote email body construction lacks input sanitization (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Task arguments lack schema validation in worker pipeline (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] GitHub workflow arguments lack key/value validation (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Manual vote resolution bypasses required vote verification (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Allow `.gitkeep` as a temporary workaround (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Allow `.gitkeep` as a temporary workaround (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Allow deleting of DOT files (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Allow deleting of DOT files (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Setup svn credentials to commit to dist/release (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Allow deleting of DOT files (tooling-trusted-releases) via GitHub
• 2026/02/25 [I] Allow `.gitkeep` as a temporary workaround (tooling-trusted-releases) via GitHub
• 2026/02/25 Re: [I] Document reproducible builds, signing, SBOMs, and OpenSSF (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Add protocol validation for external vulnerability URLs in SBOM display (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Refactor confirm dialog from inline JavaScript to data attributes (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Apply URL encoding to mailing list API query parameters (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Apply URL encoding to distribution platform API URL parameters (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Semgrep XML security rules in pre-commit (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Check XML parsing to prevent XXE attacks (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] SVN import URL lacks scheme validation — SSRF and local file read risk (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] Open redirect via unvalidated OAuth login redirect parameter (tooling-trusted-releases) via GitHub
• 2026/02/24 [I] User Identity Trust Boundary in Background Tasks (tooling-trusted-releases) via GitHub

• Earlier messages
• Later messages