From 7aa2b6294b1782b3cdc4123b01fe94b322570ef1 Mon Sep 17 00:00:00 2001 From: Derick Rethans Date: Tue, 6 Feb 2024 11:39:12 +0000 Subject: [PATCH] Moving this to php/policies --- docs/security-policies.md | 90 --------------------------------------- 1 file changed, 90 deletions(-) delete mode 100644 docs/security-policies.md diff --git a/docs/security-policies.md b/docs/security-policies.md deleted file mode 100644 index 6db017534e9..00000000000 --- a/docs/security-policies.md +++ /dev/null @@ -1,90 +0,0 @@ -# PHP Security Policies and Process - -> [!IMPORTANT] -> This is a meta document discussing PHP security policies and processes. For the actual -> PHP security policy, see the PHP [Vulnerability Disclosure Policy][] document. - -## PHP.net security.txt file - -PHP.net includes a [security.txt][] file that complements the -[Vulnerability Disclosure Policy][], aiding security vulnerability disclosure. -This file implements the standard defined in [RFC 9116][], and more information -is available at . - -RFC 9116 requires an `Expires` field in `security.txt`, and its recommendation -is for the `Expires` field to be less than a year in the future. This provides -security researchers with confidence they are using our most up-to-date -reporting policies. To facilitate yearly updates to the `Expires` field and -ensure freshness of the information in `security.txt`, the PHP release managers -[update the `Expires` field as part of the X.Y.0 GA release][expires-update]. - -From time-to-time, we may update `security.txt` with new information, outside -of the yearly changes to the `Expires` field. - -### Making changes to security.txt - -All changes to `security.txt` must be signed by a PHP release manager for a -[currently supported version of PHP][supported-versions] (at the time of the -changes). Release managers are the most logical choice for signing this file, -since we already [publish their PGP keys][rm-pgp-keys]. - -To make changes to `security.txt`: - -1. Go to your local clone of [web-php][]. - - ```bash - cd /path/to/web-php/.well-known - ``` - -2. Remove the PGP signature that wraps the body of `security.txt`: - - ```bash - gpg --decrypt --output security.txt security.txt - ``` - - > [!NOTE] - > To "decrypt" `security.txt`, you will need the public key of the release - > manager who last signed it in your GPG keychain. - -3. Make and save your changes to this file, e.g., update the `Expires` timestamp. - - There should be a "Signed by" comment in the file that looks similar to this: - - ``` - # Signed by Ben Ramsey on 2023-09-28. - ``` - - Update this line with your name, the email address associated with the key - you're using to sign the file, and the current date. - -4. Sign your changes: - - ```bash - gpg --clearsign --local-user YOU@php.net --output security.txt.asc security.txt - ``` - - > [!WARNING] - > You cannot use `--output` to output the signature to the same file as the - > input file or `gpg` will result in a signature wrapped around empty content. - -5. Last, replace `security.txt` with `security.txt.asc` and commit your changes: - - ```bash - mv security.txt.asc security.txt - git commit security.txt - ``` - -> [!NOTE] -> You may verify the signature with the following command: -> -> ```bash -> gpg --verify security.txt -> ``` - -[security.txt]: https://www.php.net/.well-known/security.txt -[vulnerability disclosure policy]: https://github.com/php/php-src/security/policy -[rfc 9116]: https://www.rfc-editor.org/rfc/rfc9116 -[expires-update]: release-process.md#preparing-for-the-initial-stable-version-php-xy0 -[supported-versions]: https://www.php.net/supported-versions.php -[rm-pgp-keys]: https://www.php.net/gpg-keys.php -[web-php]: https://github.com/php/web-php