Closed jdno closed 3 days ago
This proposal is being discussed here: https://rust-lang.zulipchat.com/#narrow/stream/242791-t-infra/topic/Domains.20on.20GitHub
@jdno since this patch in in draft, I assume this list is still incomplete, correct?
@jdno since this patch in in draft, I assume this list is still incomplete, correct?
Yes, there are three URLs that are currently missing from the list. As far as I can tell, they are not owned/managed by the infra-team:
[ERROR rust_team::validate] validation error: homepage URL for rust-lang/rustlings is not on an allowed domain: https://rustlings.cool
[ERROR rust_team::validate] validation error: homepage URL for rust-lang/this-week-in-rust is not on an allowed domain: https://this-week-in-rust.org/
[ERROR rust_team::validate] validation error: homepage URL for rust-lang/wg-allocators is not on an allowed domain: http://bit.ly/hello-wg-allocators
Yes, there are three URLs that are currently missing from the list. As far as I can tell, they are not owned/managed by the infra-team:
rustup.rs
also? I didn't check them all, I'm sure you will find many more.
That bit.ly
URL is ... ugh :sweat_smile:
rustup.rs
also? I didn't check them all, I'm sure you will find many more.
I didn't add all the domains that we own. Instead, I looked at the links that are currently set as a homepage
and added most of them to the allowlist. I'm not sure if there's a lot of value to preemptively add all our domains to the list or try to keep them in sync as we add more. I think it's easier to add them on a case-by-case basis.
Repositories can be configured with a homepage, which is prominently featured on GitHub as a link. For repositories under the
rust-lang
organization, we want to make sure that those links only point to domains that are explicitly allowed. Ideally, only domains owned and operated by the Rust project itself will be whitelisted.The risk with other domains is that they might expire silently and get taken over by malicious actors, who can then host phishing campaigns or malware on sites "advertised" by the Rust project.
An initial selection of domains has been added to the allowlist for homepage URLs. The domains are either owned and operated by the infra-team or belong to GitHub.