Security announcements

Unactive · November 7, 2022, 1:07pm

Hello,

Does the Caddy project have a particular policy currently in place as to how it communicates potential important security announcements specifically?

While it seems as though security is very important to the project’s maintainers, and it being very open to security reports and advisories, I was not able to find an easy way to retrieve past / be notified of future announcements of that sort.

Currently the only option I see is careful review of all releases, as soon as they come out. But that’s not always possible.

I have seen other projects who offer RSS feeds or forum topic category dedicated to Security Announcements. Is there such a thing for Caddy and if not have you considered creating one? An easy way to subscribe to very important announcements is an easy way to efficiently communicate with users on these issues.

francislavoie · November 7, 2022, 1:36pm

We’d probably publish it here: https://github.com/caddyserver/caddy/security

We just haven’t had anything severe enough to bother making a formal security advisory yet.

You can click “Watch” at the top of the GitHub repo and check Releases to get notified when we publish new releases, and you can keep an eye on that to see if there’s anything relevant to you in the notes.

matt · November 7, 2022, 5:29pm

Huh. I didn’t even know about that page…

Generally I announce security patches in releases and the forum and even Twitter if it’s important.

system · February 5, 2023, 1:07pm

This topic was automatically closed after 90 days. New replies are no longer allowed.