Merged
Conversation
jducoeur
approved these changes
Feb 19, 2025
Member
jducoeur
left a comment
jducoeur
left a comment
There was a problem hiding this comment.
Makes sense, and appears to match the RFC.
Does raise the question of how we track and remember to renew things like this (when there isn't a company dunning us with email reminders), but that's not a blocker.
Member
Author
|
If we remember to renew it when we renew the GPG key that signs it, they're on approximately the same cycle. We could also establish a shared key for the Security Team, which would simplify some things and complicate others, but that's something that can be done any time after this. I'd just like to have something reasonable in place as a starting point. |
armanbilge
approved these changes
Feb 20, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follows https://www.rfc-editor.org/rfc/rfc9116
The key is signed by the same PGP key that signs our artifacts and is published to our site, but the referenced encryption keys are mine and @armanbilge's, as they appear on the Typelevel security policy. This distinction makes sense in my mind, because Arman and I don't typically sign artifacts for Typelevel, and the Typelevel bot shouldn't receive encrypted messages.
This is something that should be renewed every year.
/cc @typelevel/security