Merge pull request #2016 from rust-lang/remo/ynxwqrvksvok

Add a `.well-known/security.txt`

Author: Manishearth

Cargo.lock

@@ -15,3 +15,6 @@ toml = "0.8"
 serde_json = "1.0"
 rust_team_data = { git = "https://github.com/rust-lang/team" }
 percent-encoding = "2.1.0"
+
+[dev-dependencies]
+time = { version = "0.3.36", features = ["parsing"] }

Cargo.toml

@@ -233,6 +233,11 @@ fn redirect_bare_en_us() -> Redirect {
     Redirect::permanent("/")
 }
 
+#[get("/.well-known/security.txt")]
+fn well_known_security() -> &'static str {
+    include_str!("../static/text/well_known_security.txt")
+}
+
 #[catch(404)]
 #[allow(clippy::result_large_err)]
 fn not_found(req: &Request) -> Result<Template, Redirect> {
@@ -459,6 +464,7 @@ async fn rocket() -> _ {
                 team_locale,
                 subject_locale,
                 redirect_bare_en_us,
+                well_known_security,
             ],
         )
         .register(

src/main.rs

@@ -0,0 +1,2 @@
+Contact: https://www.rust-lang.org/policies/security
+Expires: 2025-05-15T00:00:00.000Z

static/text/well_known_security.txt

@@ -0,0 +1,37 @@
+use time::{format_description::well_known::Rfc3339, OffsetDateTime};
+
+static TEXT: &str = include_str!("../static/text/well_known_security.txt");
+
+#[test]
+fn well_known_security_is_not_about_to_expire() {
+    let expires = TEXT.split("Expires:").nth(1).unwrap().trim();
+    let expires = OffsetDateTime::parse(expires, &Rfc3339).unwrap();
+    let one_month_from_now = OffsetDateTime::now_utc() + time::Duration::days(30);
+    assert!(
+        one_month_from_now < expires,
+        "
+        ┌────────────────────────────────────────────────────────────────┐
+        │                                                                │
+        │  I looks like the expiration date of the security policy needs │
+        │  updating. Before blindly updating it, please make sure the    │
+        │  pointed-to URL still refers to the source of truth of the     │
+        │  security policy of the Rust project. If all is well, you can  │
+        │  update the expiration date in the relevant file:              │
+        │                                                                │
+        │  static/text/well_known_security.txt                           │
+        │                                                                │
+        └────────────────────────────────────────────────────────────────┘
+        "
+    );
+}
+
+#[test]
+fn well_known_security_expires_within_a_year() {
+    let expires = TEXT.split("Expires:").nth(1).unwrap().trim();
+    let expires = OffsetDateTime::parse(expires, &Rfc3339).unwrap();
+    let one_year_from_now = OffsetDateTime::now_utc() + time::Duration::days(370);
+    assert!(
+        expires < one_year_from_now,
+        "The security policy should be checked once a year, please reduce the expiration date."
+    );
+}