[jira] [Commented] (MNGSITE-503) add .well-known/security.txt

Fri, 09 Dec 2022 14:42:03 -0800 


    [ 
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645504#comment-17645504
 ] 

ASF GitHub Bot commented on MNGSITE-503:
----------------------------------------

bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1044893006


##########
pom.xml:
##########
@@ -232,6 +232,32 @@
 -->
         </executions>
       </plugin>
+      <!--
+        used for timestamp of .well-known/security.txt file
+        Plugin-definition must be before resources-plugin to be
+        in the pre-site phase before 'copy-filtered-resources'.
+      -->
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+        <version>3.3.0</version>
+        <executions>
+          <execution>
+            <id>create-security.txt-timestamp</id>
+            <phase>pre-site</phase>
+            <goals>
+              <goal>timestamp-property</goal>
+            </goals>
+            <configuration>
+              <name>maven.security.expires</name>
+              <locale>ROOT</locale>
+              <pattern>yyyy-MM-dd'T'HH:mm:ss'Z'</pattern>
+              <offset>+1</offset>
+              <unit>year</unit>
+            </configuration>

Review Comment:
   Yes, that's the idea. It's the time when the information is considered 
stale/expired. As long as we deploy the site, it must be active for another 
year or so.
   
   See the RFC from the mailing list and this article: 
https://developer.okta.com/blog/2021/10/19/intro-security-txt
   
   We do the same in Apache Shiro.





> add .well-known/security.txt
> ----------------------------
>
>                 Key: MNGSITE-503
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-503
>             Project: Maven Project Web Site
>          Issue Type: Improvement
>            Reporter: Benjamin Marwell
>            Assignee: Benjamin Marwell
>            Priority: Major
>              Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we 
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
>  * [.well-known/security.txt at maven.apache.org 
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
>  * [.well-known/security.txt at maven.apache.org-Apache Mail 
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to