Преглед изворни кода

move security verification to support section

the rationale is to simplify the README file to the bare
minimum. security researchers will be able to find the contact
information if they look minimally and people installing the software
will find a link where relevant (in binary releases only, since all
the others have other trust paths)
Antoine Beaupré пре 9 година
родитељ
комит
b4d0388785
3 измењених фајлова са 21 додато и 16 уклоњено
  1. 0 16
      README.rst
  2. 3 0
      docs/installation.rst
  3. 18 0
      docs/support.rst

+ 0 - 16
README.rst

@@ -113,22 +113,6 @@ Now doing another backup, just to show off the great deduplication:
 
 For a graphical frontend refer to our complementary project `BorgWeb <https://borgweb.readthedocs.io/>`_.
 
-Checking Release Authenticity and Security Contact
---------------------------------------------------
-
-`Releases <https://github.com/borgbackup/borg/releases>`_ are signed with this GPG key,
-please use GPG to verify their authenticity.
-
-In case you discover a security issue, please use this contact for reporting it privately
-and please, if possible, use encrypted E-Mail:
-
-Thomas Waldmann <tw@waldmann-edv.de>
-
-GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747  B70F 9F88 FB52 FAF7 B393
-
-The public key can be fetched from any GPG keyserver, but be careful: you must
-use the **full fingerprint** to check that you got the correct key.
-
 Links
 -----
 

+ 3 - 0
docs/installation.rst

@@ -64,6 +64,9 @@ and compare that to our latest release and review the :doc:`changes`.
 Standalone Binary
 -----------------
 
+.. note:: Releases are signed with an OpenPGP key, see
+          :ref:`security-contact` for more instructions.
+
 |project_name| binaries (generated with `pyinstaller`_) are available
 on the releases_ page for the following platforms:
 

+ 18 - 0
docs/support.rst

@@ -56,3 +56,21 @@ As a developer, you can become a Bounty Hunter and win bounties (earn money) by
 contributing to |project_name|, a free and open source software project.
 
 We might also use BountySource to fund raise for some bigger goals.
+
+.. _security-contact:
+
+Security
+--------
+
+In case you discover a security issue, please use this contact for reporting it privately
+and please, if possible, use encrypted E-Mail:
+
+Thomas Waldmann <tw@waldmann-edv.de>
+
+GPG Key Fingerprint: 6D5B EF9A DD20 7580 5747  B70F 9F88 FB52 FAF7 B393
+
+The public key can be fetched from any GPG keyserver, but be careful: you must
+use the **full fingerprint** to check that you got the correct key.
+
+`Releases <https://github.com/borgbackup/borg/releases>`_ are signed with this GPG key,
+please use GPG to verify their authenticity.