Suggestion to Relocate Security Policy to Root Folder for XZ Project

[Ahlam-Banu]

The Security Policy for this project is currently located in the .github directory (xz/.github/SECURITY.md). The scorecard tool is unable to detect it because it is not in the root folder.

Proposed Action:
Move the SECURITY.md file from xz/.github/ to the root directory xz/.

• This change will ensure that the Security Policy is easily discoverable and compliant with tools like the scorecard.
• It will improve the overall security posture and transparency of the project.

References:
Scorecard documentation: Link to Scorecard Checks

Thank you for your time and consideration!

[Larhzu]

This issue made me realize that I hadn't included a Reporting bugs section on the home page. I have fixed this in XZ Utils, XZ for Java, and XZ Embedded pages now. While this wasn't the point of your report, thanks for making me notice it still. :-)

I added a default SECURITY.md to this organization (I only learned of this feature today). Now XZ Embedded and XZ for Java have vulnerability reporting information visible on GitHub in addition to the information being on the home pages of those projects.

XZ Utils has its own SECURITY.md still. I'm tempted to remove it and let GitHub show the default file instead. It's simpler if this kind of information needs to be maintained in fewer places. For example, with long-term branches (like v5.6 and v5.4), SECURITY.md should be kept in sync with master.

I hadn't heard about Scorecard before. Thanks for linking to the relevant documentation. I looked at the report about xz (generated at 2024-11-18).

• Code-Review score is 0. Nowadays I do most things alone so this is what it is. A year ago there were two maintainers and we cross-reviewed majority of commits but this wasn't marked in the commit messages. In hindsight, lack of commit message markings was a mistake but, on the other hand, Reviewed-by tags by that past maintainer wouldn't inspire much confidence today anyway.

• Branch-Protection score is 0. I don't know the branch protection feature of GitHub well. I don't merge anything in the GH user interface; I do all merges locally. GitHub is mostly a repository and issue tracker hosting service to me.

• Signed-Releases score is 6. It seems that it's not 10 because Scorecard checks the latest five releases and the fifth one is 5.4.6 which was signed by Jia. I suppose this score will improve when more releases are made.

• Security-Policy showing the score of 0 doesn't sound like a big deal compared to the above.

I'm not interested in doing something solely because it looks good in some statistics. It should already be easy enough to figure out how to report security bugs in this project.

Now that I have read a bit more about Scorecard, I feel even more tempted to remove XZ Utils' SECURITY.md. Don't take me wrong, Scorecard gives useful advice but following it solely to improve the scores doesn't add any real value. I'm still open to listening different viewpoints before I proceed with SECURITY.md.

Thanks!

[Larhzu]

Now that there is the organization-wide SECURITY.md, Scorecard seems to find that file and give the score of 10 on Security-Policy. Thus, it seems there's no need for SECURITY.md in the xz.git repository at all to get a good score in the Scorecard game.