xref: /aosp_15_r20/external/slf4j/SECURITY.md (revision d4cc4a21ff30dee54251e974d02850809c70b030) 
1*d4cc4a21SXin Li
2*d4cc4a21SXin Li## Reporting security issues
3*d4cc4a21SXin Li
4*d4cc4a21SXin LiPlease report security issues related to the SLF4J project to the
5*d4cc4a21SXin Lifollowing email address:
6*d4cc4a21SXin Li
7*d4cc4a21SXin Li   support(at)qos.ch
8*d4cc4a21SXin Li
9*d4cc4a21SXin Li
10*d4cc4a21SXin Li
11*d4cc4a21SXin Li
12*d4cc4a21SXin Li## Verifying contents
13*d4cc4a21SXin Li
14*d4cc4a21SXin LiAll SLF4J project artifacts published on Maven central are signed. For
15*d4cc4a21SXin Lieach artifact, there is an associated signature file with the .asc
16*d4cc4a21SXin Lisuffix.
17*d4cc4a21SXin Li
18*d4cc4a21SXin Li### After 2022-08-08
19*d4cc4a21SXin Li
20*d4cc4a21SXin LiTo verify the signature use [this public key](https://www.slf4j.org/public-keys/60200AC4AE761F1614D6C46766D68DAA073BE985.gpg). Here is its fingerprint:
21*d4cc4a21SXin Li```
22*d4cc4a21SXin Lipub   nistp521 2022-08-08 [SC]
23*d4cc4a21SXin Li      60200AC4AE761F1614D6C46766D68DAA073BE985
24*d4cc4a21SXin Liuid   Ceki Gulcu <[email protected]>
25*d4cc4a21SXin Lisub   nistp521 2022-08-08 [E]
26*d4cc4a21SXin Li```
27*d4cc4a21SXin Li
28*d4cc4a21SXin LiA copy of this key is stored on the
29*d4cc4a21SXin Li[keys.openpgp.org](https://keys.openpgp.org) keyserver. To add it to
30*d4cc4a21SXin Liyour public key ring use the following command:
31*d4cc4a21SXin Li
32*d4cc4a21SXin Li```
33*d4cc4a21SXin Li> FINGER_PRINT=60200AC4AE761F1614D6C46766D68DAA073BE985
34*d4cc4a21SXin Li> gpg  --keyserver hkps://keys.openpgp.org --recv-keys $FINGER_PRINT
35*d4cc4a21SXin Li```
36*d4cc4a21SXin Li
37*d4cc4a21SXin Li### Before 2022-08-08
38*d4cc4a21SXin Li
39*d4cc4a21SXin LiTo verify the signature use [this public key](https://www.slf4j.org/public-keys/ceki-public-key.pgp). Here is its fingerprint:
40*d4cc4a21SXin Li
41*d4cc4a21SXin Li```
42*d4cc4a21SXin Lipub   2048R/A511E325 2012-04-26
43*d4cc4a21SXin LiKey fingerprint = 475F 3B8E 59E6 E63A A780  6748 2C7B 12F2 A511 E325
44*d4cc4a21SXin Liuid   Ceki Gulcu <[email protected]>
45*d4cc4a21SXin Lisub   2048R/7FBFA159 2012-04-26
46*d4cc4a21SXin Li```
47*d4cc4a21SXin Li
48*d4cc4a21SXin LiA copy of this key is stored on the
49*d4cc4a21SXin Li[keys.openpgp.org](https://keys.openpgp.org) keyserver. To add it to
50*d4cc4a21SXin Liyour public key ring use the following command:
51*d4cc4a21SXin Li
52*d4cc4a21SXin Li```
53*d4cc4a21SXin Li> FINGER_PRINT=475F3B8E59E6E63AA78067482C7B12F2A511E325
54*d4cc4a21SXin Li> gpg  --keyserver hkps://keys.openpgp.org --recv-keys $FINGER_PRINT
55*d4cc4a21SXin Li```
56*d4cc4a21SXin Li
57*d4cc4a21SXin Li
58*d4cc4a21SXin Li## Preventing commit history overwrite
59*d4cc4a21SXin Li
60*d4cc4a21SXin LiIn order to prevent loss of commit history, developers of the project
61*d4cc4a21SXin Liare highly encouraged to deny branch deletions or history overwrites
62*d4cc4a21SXin Liby invoking the following two commands on their local copy of the
63*d4cc4a21SXin Lirepository.
64*d4cc4a21SXin Li
65*d4cc4a21SXin Li
66*d4cc4a21SXin Li```
67*d4cc4a21SXin Ligit config receive.denyDelete true
68*d4cc4a21SXin Ligit config receive.denyNonFastForwards true
69*d4cc4a21SXin Li```