Conversation
robrwo
requested review from
Leont,
atoomic,
garu,
sjn,
stigtsp,
thibaultduponchelle,
timlegge and
toddr
| Please do not report security problems on public forums or in | ||
| repository issues. | ||
|
|
||
| Only the latest release of Foo-Bar will be supported. |
There was a problem hiding this comment.
Possibly add a link to the repo with the latest security policy?
There was a problem hiding this comment.
Good idea. I proposed similar language above; Maybe find a phrasing that works well both places?
|
|
||
| This policy is not intended to be machine readable. | ||
| However, it should be understandable for an international audience. | ||
| Dates and timestamps should be in the [HTTP Date/Time Format](https://httpwg.org/specs/rfc9110.html#http.date). |
There was a problem hiding this comment.
My knee-jerk reaction is "why no ISO-dates?"
There was a problem hiding this comment.
ISO dates are meant for machines, and most parts of the world don't use them normally. I find it a little jarring to read text like "This was last updated on 194-11-06" instead of "This was last updated on Sun, 06 Nov 1994".
timlegge
left a comment
timlegge
left a comment
There was a problem hiding this comment.
One comment - otherwise looks fine
| You should add a security policy to tell downstream users that you (the developers and maintainers of your software) care about the integrity of their data and systems. | ||
|
|
||
| A security policy tells users how to report security issues to the project maintainer(s), how the maintainer(s) will respond, and what software will be supported by them. | ||
| A security policy tells users how to report security issues to the project maintainer(s), how the maintainer(s) will respond to security issues, and what software will be supported by them. |
There was a problem hiding this comment.
Since we're talking about "human-intended" language further down, how about
A security policy tells users how to report security issues to the project maintainer(s), how the maintainer(s) will respond to
security issuesthese, and what software will be supported by them.
| Even if you are not subject to regulations of a government that requires security policies, potential users of your software are. | ||
| Adding a security policy will make it easier for them to follow regulations. | ||
| Even if you the author are not subject to regulations of a government or institution that requires security policies, potential users of your software may be. | ||
| Adding a security policy will make it easier for them to follow regulations and use your software. |
There was a problem hiding this comment.
[…] and use your software, with the right expectations for how security events will be handled.
| A date or timestamp of the security policy (ideally the same as the distribution release) is useful to advise users that the information may be outdated, and where to check for a more recent version of the distribution: | ||
|
|
||
| > This policy was updated on Fri 22 Aug 2025 09:32:47 BST. | ||
| > If this policy is more than two years old, then you should check for a more recent version of [Foo-Bar on CPAN](https://metacpan.org/dist/Foo-Bar). |
There was a problem hiding this comment.
Maybe not bind a duration to this? E.g. write
The most recent version of this security policy can be found in the most recent release of Foo-Bar on CPAN.
| Please do not report security problems on public forums or in | ||
| repository issues. | ||
|
|
||
| Only the latest release of Foo-Bar will be supported. |
There was a problem hiding this comment.
Good idea. I proposed similar language above; Maybe find a phrasing that works well both places?
|
|
||
| This policy was updated on Fri 22 Aug 2025 09:32:47 BST. If this | ||
| policy is more than two years old, then you should check for a more | ||
| recent version of [Foo-Bar on CPAN](https://metacpan.org/dist/Foo-Bar). |
There was a problem hiding this comment.
Same comment as above, re "more than two years old"
timlegge
left a comment
timlegge
left a comment
There was a problem hiding this comment.
i do worry that these security policies will rot a little but I guess it can't be helped and does help in the near term
| A security policy might also be a requirement by some institutions or governments. | ||
| Even if you are not subject to regulations of a government that requires security policies, potential users of your software are. | ||
| Adding a security policy will make it easier for them to follow regulations. | ||
| Even if you the author are not subject to regulations of a government or institution that requires security policies, potential users of your software may be. |
There was a problem hiding this comment.
s/you the author/you, the author,/
4 participants
This adjusts the security policy wording, and adds a sample very short policy.