dev  

Messages by Date

• 2026/03/10 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Add support for pyproject.toml and Docker in Dependabot (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [PR] Added comment about versioning (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Populate `version.py` at build time (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Added comment about versioning (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Apply `form.to_relpath()` consistently in `draft.py` and `finish.py` POST handlers (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [PR] Adding relpath to docs (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [PR] Fix title case (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Fix title case (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [PR] Adding comment for domain checking (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] SVN import accepts arbitrary URLs without validation (SSRF) (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Adding relpath to docs (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Adding comment for domain checking (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Missing authorization on SBOM endpoints (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Missing authorization on SBOM endpoints (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [PR] Add TLS security configuration docs (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Add TLS security configuration docs (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] RAO / maven upload only works for single release artifact (+classifiers) (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] RAO / maven upload only works for single release artifact (+classifiers) (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] RAO / maven upload only works for single release artifact (+classifiers) (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Checks failed on Maven JLink Plugin 3.3.0 (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Checks failed on Maven JLink Plugin 3.3.0 (tooling-trusted-releases) via GitHub
• 2026/03/10 [I] Require the release manager to confirm that they are ignoring non-blocking errors (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] SVN import URL lacks scheme validation — SSRF and local file read risk (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Some source archives are not detected at source (tooling-trusted-releases) via GitHub
• 2026/03/10 [PR] Drop `file_name` field in upload files (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] TLS: Add explicit cipher suite configuration for defense-in-depth (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Improve type validation of GET parameters (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Improve type validation of GET parameters (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] GitHub workflow arguments lack key/value validation (tooling-trusted-releases) via GitHub
• 2026/03/10 Re: [I] Add and use exploratory taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Support `SafeCommittee` taint tracking (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Missing authorization on public API check results (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding docs about public API endpoints (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Missing authorization on public API check results (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding docs about public API endpoints (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Test mode authorization bypass allows all users test committee access (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding docs for auth bypass (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Test mode authorization bypass allows all users test committee access (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding docs for auth bypass (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Token deletion missing ownership validation (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding comment about public download of release files (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding comments for key and token deletion (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Public download access to draft/pre-release artifacts (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Message sending lacks committee-scoped recipient validation (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding comment about sending mail to other committees (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Add not-before validation for SSH workflow keys (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [PR] Adding comment for SSH workflow key (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding comments for key and token deletion (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding comment about public download of release files (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Admin override access lacks persistent audit logging (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Admin override access lacks persistent audit logging (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding comment about sending mail to other committees (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Adding comment for SSH workflow key (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Configure explicit TLS version constraints for Hypercorn server (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Apply `form.to_relpath()` consistently in `draft.py` and `finish.py` POST handlers (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Update docs with relpath (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Update docs with relpath (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Semgrep XML security rules in pre-commit (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Semgrep XML security rules in pre-commit (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Task arguments lack schema validation in worker pipeline (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Task arguments lack schema validation in worker pipeline (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] JWT subject (ASF UID) lacks format validation (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] JWT subject (ASF UID) lacks format validation (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] `/test/login` performs session creation via GET request (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] `/test/login` performs session creation via GET request (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Support `SafeCommittee` taint tracking (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Audit guidance tests (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Bump astral-sh/setup-uv from 7.3.0 to 7.3.1 (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/09 [I] Add a filetype warning check (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Insufficient archive member path validation in check tasks (tooling-trusted-releases) via GitHub
• 2026/03/09 [I] Checks failed on Maven JLink Plugin 3.3.0 (tooling-trusted-releases) via GitHub
• 2026/03/09 [I] Support `SafeCommittee` taint tracking (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Add and use exploratory taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Add and use exploratory taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/09 [PR] Bump actions/upload-artifact from 6.0.0 to 7.0.0 (tooling-releases-client) via GitHub
• 2026/03/09 [PR] Bump astral-sh/setup-uv from 6.4.3 to 7.3.1 (tooling-releases-client) via GitHub
• 2026/03/09 Re: [PR] Bump astral-sh/setup-uv from 6.4.3 to 7.3.0 (tooling-releases-client) via GitHub
• 2026/03/09 Re: [PR] Bump astral-sh/setup-uv from 6.4.3 to 7.3.0 (tooling-releases-client) via GitHub
• 2026/03/09 [I] Trying to add ignore with invalid data updates existing ignore forms on the page (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Add and use exploratory taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Path traversal in attestable file path construction (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] SVN Import task not starting (tooling-trusted-releases) via GitHub
• 2026/03/09 [I] SVN Import task not starting (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] `/test/login` performs session creation via GET request (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Verify CSRF coverage for `@post.empty()` decorated endpoints (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Test whether `quart_wtf` works (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] IDOR in distribution delete — missing `check_access()` and form/URL parameter mismatch (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Path traversal in attestable file path construction (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Block announcing a release if tagged distributions have not yet been done (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Check XML parsing to prevent XXE attacks (tooling-trusted-releases) via GitHub
• 2026/03/09 Re: [I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Upload file path validation bypass when file_name parameter is provided (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Some source archives are not detected at source (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Some source archives are not detected at source (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Some source archives are not detected at source (tooling-trusted-releases) via GitHub
• 2026/03/08 [I] Some source archives are not detected at source (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Backfill archives (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Backfill archives (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Uploading PAX archives fails due to an extraction error (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Uploading PAX archives fails due to an extraction error (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Allow quarantine failure reports to be cleared (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Allow quarantine failure reports to be cleared (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Detailed quarantine archive extraction error messages are not reported (tooling-trusted-releases) via GitHub
• 2026/03/08 Re: [I] Detailed quarantine archive extraction error messages are not reported (tooling-trusted-releases) via GitHub
• 2026/03/08 [I] Allow quarantine failure reports to be cleared (tooling-trusted-releases) via GitHub
• 2026/03/08 [I] Detailed quarantine archive extraction error messages are not reported (tooling-trusted-releases) via GitHub
• 2026/03/07 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/07 Re: [I] Uploading PAX archives fails due to an extraction error (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Project metadata to add to project database (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Document how to provide a groupId for Maven (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/06 [I] Uploading PAX archives fails due to an extraction error (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Implement file type/content validation for uploads (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/06 [I] Determine a list of file types that can be blocked based on extension (tooling-trusted-releases) via GitHub
• 2026/03/06 [I] Backfill archives (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Verify all DistributionPlatform template URLs use HTTPS (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Record 3-way merge metadata (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Record 3-way merge metadata (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [PR] Utilising taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Utilising taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Utilising taint tracking types (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [I] Rework or remove the published endpoint (tooling-trusted-releases) via GitHub
• 2026/03/06 Re: [PR] Adjust topnav menu if ALLOW_TESTS (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/06 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/05 [PR] Make token change emails more clear (tooling-trusted-releases) via GitHub
• 2026/03/05 [PR] Adjust topnav menu if ALLOW_TESTS (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] [Discuss] Dependency release chains (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Study replacing repository.apache.org (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Clarify and constrain permitted ASF TLP version numbers (tooling-trusted-releases) via GitHub
• 2026/03/05 [GH] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement JWT token revocation mechanism (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement JWT token revocation mechanism (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Don't merge: for discussion (tooling-trusted-releases) via GitHub
• 2026/03/05 [I] Study replacing repository.apache.org (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] TLS: Add explicit cipher suite configuration for defense-in-depth (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Validate release workflow phase before operations (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Validate release workflow phase before operations (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Validate release workflow phase before operations (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] [Discuss] Dependency release chains (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Vote result email To configuration (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Filter sensitive fields from Task objects in API responses (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Filter sensitive fields from Task objects in API responses (tooling-trusted-releases) via GitHub
• 2026/03/05 [I] Revoke JWTs when a PAT is deleted (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Remove `token_hash` from PersonalAccessToken API responses (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Remove `token_hash` from PersonalAccessToken API responses (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Check for bombs and other archival problems in uploads (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Check for bombs and other archival problems in uploads (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Add start_tls to smtp connection (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Add STARTTLS initiation to SMTP mail relay in `atr/mail.py` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] New atr logo topnav treatment (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement LDAP attribute allowlist instead of `ALL_ATTRIBUTES` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement LDAP attribute allowlist instead of `ALL_ATTRIBUTES` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Search ldap returning limited attributes (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Search ldap returning limited attributes (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Search ldap returning limited attributes (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement LDAP attribute allowlist instead of `ALL_ATTRIBUTES` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement LDAP attribute allowlist instead of `ALL_ATTRIBUTES` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Implement LDAP attribute allowlist instead of `ALL_ATTRIBUTES` (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [I] Storage layer accepts arbitrary user IDs for SSH key and PAT creation (tooling-trusted-releases) via GitHub
• 2026/03/05 Re: [PR] Use session asf_uid when adding ssh key and pat (tooling-trusted-releases) via GitHub
• 2026/03/05 [I] [Discuss] Dependency release chains (tooling-trusted-releases) via GitHub
• 2026/03/05 [I] Vote result email To configuration (tooling-trusted-releases) via GitHub

• Earlier messages