Bernhard E. Reiter

@Perflyst thanks for the two good hints! (BTW: It would be cool to read the differences between BetterUntis and OpenUntis, apart from being written in Kotlin, I could not gather...

@SapuSeven thanks for the hint!

What is the use case for a more detailed output here? Should the validity be checked automatically? Many admins would download the key from the URL and do more in...

Some checks are easier than others. The time period where a pubkey is "valid" can be checked easily. What is hard to check is how much to you believe that...

To clarify: The only way to specify one then on PMD is via the security.txt. See * https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#718-requirement-8-securitytxt * https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#731-finding-provider-metadatajson If there is a DNS entry, it has to be...

If the checker accepts this, and shouldn't, we also need to check the downloader and the aggregator. As they then also shouldn't accept a header redirect for the `provider-metadata.json`. Additionally...

> I would prefer a fault-tolerant solution for the downloader and aggreagtor In the early stages, this approach is likely to weaken the standard, so it would work against the...

@tschmidtb51 what do you think: * should this be fixed and how? * _service+dev_?

## Ideas and considerations * https://github.com/csaf-poc/csaf_distribution/tree/main/csaf already has a pretty complete model and code to access contents of CSAF documents * per JSONPath there is a principal method to specify...

## publish the module on https://pkg.go.dev upstream steps See following reports that affect us: * https://github.com/golang/go/issues/40586 * https://github.com/golang/go/issues/60552