search

rust-lang / team

Rust teams structure
Apache License 2.0
306 stars 281 forks source link

Validate homepage URLs for repositories #1438

Closed jdno closed 3 days ago

jdno commented 2 months ago

Repositories can be configured with a homepage, which is prominently featured on GitHub as a link. For repositories under the rust-lang organization, we want to make sure that those links only point to domains that are explicitly allowed. Ideally, only domains owned and operated by the Rust project itself will be whitelisted.

The risk with other domains is that they might expire silently and get taken over by malicious actors, who can then host phishing campaigns or malware on sites "advertised" by the Rust project.

An initial selection of domains has been added to the allowlist for homepage URLs. The domains are either owned and operated by the infra-team or belong to GitHub.

jdno commented 2 months ago

This proposal is being discussed here: https://rust-lang.zulipchat.com/#narrow/stream/242791-t-infra/topic/Domains.20on.20GitHub

apiraino commented 2 months ago

@jdno since this patch in in draft, I assume this list is still incomplete, correct?

jdno commented 2 months ago

@jdno since this patch in in draft, I assume this list is still incomplete, correct?

Yes, there are three URLs that are currently missing from the list. As far as I can tell, they are not owned/managed by the infra-team:

[ERROR rust_team::validate] validation error: homepage URL for rust-lang/rustlings is not on an allowed domain: https://rustlings.cool
[ERROR rust_team::validate] validation error: homepage URL for rust-lang/this-week-in-rust is not on an allowed domain: https://this-week-in-rust.org/
[ERROR rust_team::validate] validation error: homepage URL for rust-lang/wg-allocators is not on an allowed domain: http://bit.ly/hello-wg-allocators
apiraino commented 2 months ago

Yes, there are three URLs that are currently missing from the list. As far as I can tell, they are not owned/managed by the infra-team:

rustup.rs also? I didn't check them all, I'm sure you will find many more.

That bit.ly URL is ... ugh :sweat_smile:

jdno commented 2 months ago

rustup.rs also? I didn't check them all, I'm sure you will find many more.

I didn't add all the domains that we own. Instead, I looked at the links that are currently set as a homepage and added most of them to the allowlist. I'm not sure if there's a lot of value to preemptively add all our domains to the list or try to keep them in sync as we add more. I think it's easier to add them on a case-by-case basis.

jdno commented 3 days ago

I've proposed this to the infra-team, but there isn't enough support for the check. The only comment on the proposal was that teams can already add any URLs they want to the README, so adding this check for the repository URL doesn't have a lot of benefits.