PGP keys verification - Githubissues

nodejs / Release

Node.js Release Working Group

3.94k stars 551 forks source link

PGP keys verification #965

Open UlisesGascon opened 7 months ago

UlisesGascon commented 7 months ago

Context

The full context can be found at GHSA-76h5-j8cf-q8vj and GHSA-jcj3-qxpv-gxm2.
Additional offline conversation at Slack

Action items

[ ] As part of the onboarding the releasers should add the PGP key(s) to the Github profile, like Ulises' example
- [x] Create a PR to update the onboarding steps (@UlisesGascon). https://github.com/nodejs/Release/pull/966
- [ ] Ensure that all the releasers has completed this step

nschonni commented 6 months ago

Aside: why is the website repo being used for security advisories? That doesn't seem to line up with the security reporting policy

ovflowd commented 6 months ago

Aside: why is the website repo being used for security advisories? That doesn't seem to line up with the security reporting policy

IDK, someone just created one for nodejs.org; I'm not sure if this is a setting on the nodejs.org repository, and if yes, if I should disable. cc @nodejs/tsc

UlisesGascon commented 4 months ago

I was checking the changes with the team, I am waiting for a final update for two signatures and then we can close this issue.

ovflowd commented 4 weeks ago

Is there any update here?