in-source vulnerability tracking

security-advisories/README.md

@@ -0,0 +1,7 @@
+# Security Advisories for `zip`
+
+This folder documents the security vulnerabilities affecting the zip crate. It is currently incomplete: RustSec tracks some old vulnerabilities and you should especially ensure you're using an up-to-date version of bzip2.
+
+## Reporting
+
+This folder contains a public key ([./zipadvisories.key]) which may be used for reporting sensitive vulnerabilities to the zip maintainers. At time of writing, @plecra has the decryption key. Sending encrypted reports to marli@frost.red or via a new github issue is greatly appreciated.

security-advisories/zipadvisories.key

@@ -0,0 +1,42 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGUJ3MIBDADSpQ2HCWcUYrvNnKEcWHSXbMeWeZwIJuxefRO0MEwp1gQCYR+2
+jQwKkmhPjR8ZEcuooSS1zYl1zZxgvnBVgvkNNZeEA7K6fEg632K85/VKcHLR/ZFQ
+T2CtACn2L+7dk75GvNMnTLlw8j9ogxKI8BleVCFA9gxit7lsxVJkS0AoRxfAnwbE
+ZTIn7VKvX4zEEIaTF90Fsb33El8vKOOqNpkcwHMFJYkq4D9tWgLku0HDlKTREcTg
+c6ySfqUZKdJZM1foGCoMJd3pIiPlF3TRv2iISHMRnFdFZ8nzXGnUOvZQsmNGKoZr
+FmaB1RIsGZMe58lFabNekaTZ67ja2eXMcGrZ9cfxgISn4SMHk9DZNzsWVTtqe/ZS
++TbjNBfxoezZWbK+eW9aI+6jWclCymbwnmkGZ6pCGinQ/hPGNH68R6cgM19FFSJR
+0dkOS0Inqi/LFX8oFG92HrNqOJU2HJiiJw/CuS+NpsWle+EuKBia0+7bX/J2DTio
+EPPLwE/bzW5p3MEAEQEAAbRlbWFybGkgKGVuY3J5cHRpb24ga2V5IGZvciBzZWN1
+cml0eSBhZHZpc29yaWVzIG9uIGNyYXRlcyBvd25lZCBieSBnaXRodWIuY29tL3Bs
+ZWNyYSkgPG1hcmxpQGZyb3N0LnJlZD6JAc4EEwEKADgWIQQ8qnkYgARauRpEvXuO
+4ShR8uWq+wUCZQncwgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCO4ShR
+8uWq+4scC/oCDXs9/toC4jf0KhGx3u9H3o6XMnmtnTB4k4drG8gAmGVbkawY1IXt
+uU77FUXEpP1AesmiBNcsxv7RrCElrCdzjS3yfMFDvK+sOP/97qThh5kRg03XKgeK
+bEzgX0lTWR2j+keEqx/GtAxeNN65U3B2J6Z5kjl3UAm4TvVR/mmB72HTU8krOr1e
+VQGhlE3SXk0QL5aByeH6qaVFm1PSIIJdkZhGBVGAf0Yb32c7/ngUZCpDWbVhmkQg
+kFAgYtN49mt3pbe4SI5P3goPc6aitFJ2mCl103QxN3n3hJ8YU/8n92PlxaerfiRt
+W10sZGhVc/iC8Qow7ZqtvdIsxciz9y1iAL7N4v4g4jOAtDy6Q/Fajm3+wTy4R8Jj
+2nx/Cq/Gk/AHqkvEpAkcUW4iQ2bZFKdpDfi6/phSeoBS+WF3dycsOlLKS90Tvhiw
+DYasxuNzwJK0IO8YM+hiId/ziErsKG2CTx9LePToYzgLvA9OJITi4UZm71Jkmuth
+5X4duNT+TSq5AY0EZQncwgEMAK0zXJq2mURC0VyM4pTIVkdgIZBR3n0YCgRTtcTQ
+IOnoiX9KLT6ZGfMllAEzAacgBqZnw/AGw9lraH3X8gyFH94dntIJEhmcmJ4RYVdl
+GchyiQYUSmtqJdTQ3el9TxQ0ec5nst3MHEeaQnUKPYVMJZkIDMg/jzmlyKVb3EOS
+QDKfqGhlNU8N0tAwmwyVzKc4rJHuDQOuZbn6u1/X2RBE9jMRFaMHVMG6iZNcjVfC
+3HVqa00ZYTR9rZPlVuvlbT1pnZ2DkOKYp9fGd55eL8CHUDd7IFgdRauKIe6XySGM
+nIIOdy/vfVNNBdzo8SiWtDs1Um0KvPF97CTcqyCo4wn3howWXP2OIoyif9l/cFwN
+a3EBCSSJK/DJ1un0DwtsH8uKyDccwzGmAIMkK7IDVRGlHV7z8UsrdamNTh3CdJn5
+yczsLWDY00vLs7IaT3/ZGzWdoBBX4cClUS3Aru1GWpHBjTH9BQO03t237hnQezLp
+ALzwh3pqkjaakmSqTBoYVS06dwARAQABiQG2BBgBCgAgFiEEPKp5GIAEWrkaRL17
+juEoUfLlqvsFAmUJ3MICGwwACgkQjuEoUfLlqvuzQAv8CxuBQiLA4AGki1EUCEvk
+xqXbMlBfX+qL1gKnj547lyqnIbjMrhCuJs72gc3vclWNP2tT2XCwsoTs4rZJwccV
+NVQzDoJpalckumI1o85ZbBosfl3do8riUXKfQ5CWmoKbiSCziSqm2cB7BqesLjNy
+6zu7y0J5qMGjIArDqoS59r9iQfY8tbqq2rcVnCoIrHNLp8WupkGjpsNOWxkg4sZh
+v0xOMfrU7v7ErNH+TCEVQzXXFDbc9ppnfBkFBBvlO08O16sAlA2xRnQc+hlM0FdJ
+Q8CHklvolWdhbkuLHYRDvYf+MIf0r5F1Bk6Dh7YZkEI9kK5qSOOsZ0TZOPGteMbm
+Oseln6bu/TwLHowf4ItYmjYPOeNHGNf91g1X98JdQvyyda0YldAQlz6I4aPzUH07
+XhyezUF1T04aN3T73TZmpRJBC611c7rSh2yw5ED4J/TjNQI8BcTny0wC7Sfi/krc
+ory7KoaRpUGG+00fWgTzsd/ktf2pSCKDJGs5S8DDAVhJ
+=Cxca
+-----END PGP PUBLIC KEY BLOCK-----