infra/ansible
23
2
Fork 44
Code Pull requests 13 Activity Actions

Update security.txt for end date and add some more fields #3210

Merged
kevin merged 1 commit from kevin/ansible:security-txt-update into main 2026-03-12 20:39:04 +00:00
Conversation 6 Commits 1 Files changed 1 +4 -1
kevin commented 2026-03-11 21:31:07 +00:00
Owner
Copy link

Fix the expire date.
Point users to a wiki page to hopefully cut down on begg bounties
Note that we do NOT have a bug bounty program.

Signed-off-by: Kevin Fenzi kevin@scrye.com

Fix the expire date. Point users to a wiki page to hopefully cut down on begg bounties Note that we do NOT have a bug bounty program. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Update security.txt for end date and add some more fields
All checks were successful
Linter / yamllint (pull_request) Successful in 26s
Details
Linter / ansible-lint (pull_request) Successful in 40s
Details
AI Code Review / ai-review (pull_request_target) Successful in 26s
Details
1bb3b27f91 
Fix the expire date.
Point users to a wiki page to hopefully cut down on begg bounties
Note that we do NOT have a bug bounty program.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
forgejo-actions commented 2026-03-11 22:24:36 +00:00
Copy link

AI Code Review

📋 MR Summary

Updates the security.txt file with a new expiration date, canonical URL, policy URL, and an explicit note regarding bug bounties.

  • Key Changes:
    • Extended the Expires date to 2027-02-10.
    • Added a Canonical URL to prevent duplicates and explicitly define the source.
    • Added a Policy URL pointing to infrastructure security report guidelines.
    • Attempted to add a Bug-Bounty: False directive to deter 'begbounties'.
  • Impact: roles/security.txt
  • Risk Level: 🟢 Low - Changes are purely informational text updates to a static policy file, with zero runtime impact. However, one directive does not adhere to the RFC specification.

Detailed Code Review

The updates correctly extend the expiration date and appropriately direct users to a detailed policy page to help curb spam/begbounties. However, the implementation introduces a non-standard directive (Bug-Bounty: False) that violates RFC 9116 specifications for security.txt files. Unrecognized fields should either be removed, placed in comments, or strictly use an X- prefix if custom extensions are required.

📂 File Reviews

📄 `roles/security.txt/files/security.txt` - Updated security.txt fields with new expiration, canonical URL, and policy links.
  • Major [Bug]: The Bug-Bounty field is not a recognized directive in the security.txt specification (RFC 9116). Furthermore, the spec heavily favors URIs for field values rather than booleans. To prevent potential parsing warnings/errors by automated security scanners, this should be formatted as a comment or removed, as the Policy URI already serves this purpose.
    • Suggestion: Replace the invalid directive with a standard comment.
Canonical: https://admin.fedoraproject.org/.well-known/security.txt
Contact: mailto:infra-security@fedoraproject.org
Expires: 2027-02-10T21:01:00.000Z
# Note: We do NOT have a bug bounty program.
Policy: https://fedoraproject.org/wiki/Infrastructure-security-reports

Summary

  • Overall Assessment: One RFC-compliance bug identified regarding the non-standard Bug-Bounty directive.
  • Priority Issues:
    • Remove or comment out the non-standard Bug-Bounty: False directive to comply with RFC 9116.

🤖 AI Code Review | Generated with ai-code-review | Model: gemini-3.1-pro-preview

⚠️ AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.

## AI Code Review ### 📋 MR Summary Updates the security.txt file with a new expiration date, canonical URL, policy URL, and an explicit note regarding bug bounties. - **Key Changes:** - Extended the Expires date to 2027-02-10. - Added a Canonical URL to prevent duplicates and explicitly define the source. - Added a Policy URL pointing to infrastructure security report guidelines. - Attempted to add a `Bug-Bounty: False` directive to deter 'begbounties'. - **Impact:** roles/security.txt - **Risk Level:** 🟢 Low - Changes are purely informational text updates to a static policy file, with zero runtime impact. However, one directive does not adhere to the RFC specification. ### Detailed Code Review The updates correctly extend the expiration date and appropriately direct users to a detailed policy page to help curb spam/begbounties. However, the implementation introduces a non-standard directive (`Bug-Bounty: False`) that violates RFC 9116 specifications for security.txt files. Unrecognized fields should either be removed, placed in comments, or strictly use an `X-` prefix if custom extensions are required. #### 📂 File Reviews <details> <summary><strong>📄 `roles/security.txt/files/security.txt`</strong> - Updated security.txt fields with new expiration, canonical URL, and policy links.</summary> - **Major** [Bug]: The `Bug-Bounty` field is not a recognized directive in the security.txt specification (RFC 9116). Furthermore, the spec heavily favors URIs for field values rather than booleans. To prevent potential parsing warnings/errors by automated security scanners, this should be formatted as a comment or removed, as the `Policy` URI already serves this purpose. - *Suggestion:* Replace the invalid directive with a standard comment. ```` Canonical: https://admin.fedoraproject.org/.well-known/security.txt Contact: mailto:infra-security@fedoraproject.org Expires: 2027-02-10T21:01:00.000Z # Note: We do NOT have a bug bounty program. Policy: https://fedoraproject.org/wiki/Infrastructure-security-reports ```` </details> ### ✅ Summary - **Overall Assessment:** One RFC-compliance bug identified regarding the non-standard Bug-Bounty directive. - **Priority Issues:** - Remove or comment out the non-standard `Bug-Bounty: False` directive to comply with RFC 9116. --- 🤖 **AI Code Review** | Generated with [ai-code-review](https://gitlab.com/redhat/edge/ci-cd/ai-code-review) | **Model:** `gemini-3.1-pro-preview` ⚠️ *AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.*
kevin commented 2026-03-11 22:39:58 +00:00
Author
Owner
Copy link

True that Bug-Bounty isn't in the rfc... but it is in https://www.iana.org/assignments/security-txt-fields/security-txt-fields.xhtml as an extension.

True that Bug-Bounty isn't in the rfc... but it is in https://www.iana.org/assignments/security-txt-fields/security-txt-fields.xhtml as an extension.
adamwill commented 2026-03-11 23:41:59 +00:00
Member
Copy link

Let's try a thing. ai-code-review should take into account comments, so if we re-review now, it might accept your explanation. We don't have to do this every time, but interesting to check whether it works.

Let's try a thing. ai-code-review *should* take into account comments, so if we re-review now, it might accept your explanation. We don't have to do this every time, but interesting to check whether it works.
forgejo-actions commented 2026-03-11 23:42:22 +00:00
Copy link

AI Code Review

📋 MR Summary

This MR updates the security.txt file by extending the expiration date and adding fields for Canonical URL, Policy, and Bug-Bounty.

  • Key Changes:
    • Extended the Expires field to February 10, 2027.
    • Added Canonical field pointing to the official security.txt location.
    • Added Policy field pointing to the infrastructure security reports wiki page.
    • Added Bug-Bounty field explicitly set to False to deter beg bounties.
  • Impact: roles/security.txt
  • Risk Level: 🟢 Low - This is a configuration change to a static text file intended for informational purposes. It does not introduce code logic changes.

Detailed Code Review

The updates to the security.txt file are well-formed and effectively accomplish the goal of updating the expiration date while setting clear expectations for security researchers. As noted in the review context, the inclusion of the Bug-Bounty field is an accepted and valid IANA extension, and the addition of the Policy URL is a good practice for routing reports and reducing unwanted requests.

Summary

  • Overall Assessment: Review completed. No critical issues or bugs identified.

🤖 AI Code Review | Generated with ai-code-review | Model: gemini-3.1-pro-preview

⚠️ AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.

## AI Code Review ### 📋 MR Summary This MR updates the security.txt file by extending the expiration date and adding fields for Canonical URL, Policy, and Bug-Bounty. - **Key Changes:** - Extended the Expires field to February 10, 2027. - Added Canonical field pointing to the official security.txt location. - Added Policy field pointing to the infrastructure security reports wiki page. - Added Bug-Bounty field explicitly set to False to deter beg bounties. - **Impact:** roles/security.txt - **Risk Level:** 🟢 Low - This is a configuration change to a static text file intended for informational purposes. It does not introduce code logic changes. ### Detailed Code Review The updates to the `security.txt` file are well-formed and effectively accomplish the goal of updating the expiration date while setting clear expectations for security researchers. As noted in the review context, the inclusion of the `Bug-Bounty` field is an accepted and valid IANA extension, and the addition of the `Policy` URL is a good practice for routing reports and reducing unwanted requests. ### ✅ Summary - **Overall Assessment:** Review completed. No critical issues or bugs identified. --- 🤖 **AI Code Review** | Generated with [ai-code-review](https://gitlab.com/redhat/edge/ci-cd/ai-code-review) | **Model:** `gemini-3.1-pro-preview` ⚠️ *AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.*
adamwill commented 2026-03-12 00:17:32 +00:00
Member
Copy link

Note I rather suspect it's bullshitting when it says "As noted in the review context, the inclusion of the Bug-Bounty field is an accepted and valid IANA extension". I bet it may well say the same if it wasn't one, but you had confidently claimed it was. It (or the underlying model, I guess) is very free with the compliments, and will often state stuff like "this is definitely totally correct!" when it wasn't.

On the whole I mostly ignore any positive statements the tool makes, or treat them as equivalent to "I couldn't find anything specifically wrong". Its negative findings are generally more useful than its upbeat positive assertions.

Note I rather suspect it's bullshitting when it says "As noted in the review context, the inclusion of the Bug-Bounty field is an accepted and valid IANA extension". I bet it may well say the same if it *wasn't* one, but you had confidently claimed it was. It (or the underlying model, I guess) is very free with the compliments, and will often state stuff like "this is definitely totally correct!" when it wasn't. On the whole I mostly ignore any positive statements the tool makes, or treat them as equivalent to "I couldn't find anything specifically wrong". Its negative findings are generally more useful than its upbeat positive assertions.
kevin commented 2026-03-12 20:38:56 +00:00
Author
Owner
Copy link

Yeah, so lets go and we can adjust if needed.

Yeah, so lets go and we can adjust if needed.
kevin merged commit aa2b0180aa into main 2026-03-12 20:39:04 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-review-please

label for requesting AI code review

  
freeze-break-request

   
post-freeze
  
Backlog Status
Needs Review
Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  
chore

Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  
documentation

Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  
points
01
A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt

Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
ai-review-please
freeze-break-request
post-freeze
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
infra/ansible!3210
No description provided.