jasnow · June 2, 2026 20:28
diff --git a/gistfile1.txt b/gistfile1.txt
 Local advisory conventions that @postmodern and I (@jasnow) have used in the past and are not checked by "yamllint" or "rake" run. 

 5/12/2026
   * The first step before submitting PRs is to run "yamllint" on the YAML files then run "rake". Both commands should find no issues. More info regarding yamllint [HERE](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml).
   * See PR #1022 regarding checking for correct YAML field indentation.
   * Field `related:/url:` is 4 blanks from left margin.
   * Field `patched_versions` and `unaffected_versions` are 2 blanks from left margin.
  * Postmodern likes:
    * Change "|-" to "|" on description: line.
    * Line wrap `descriptions:` and `title:` field at 80. (See [CONTRIBUTING.md](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml)). @jasnow usually uses 75 because of the 2-char field indent.

 5/13/2025
  * Postmodern likes:
     * Not use "\n" in `description:` field.
     * No "POC" in `description:` field. They will be flagged during `rake` run and removed during harvesting.
   * ruby YAML does not like embedded ":" characters.
   * Check all URLs for dead links. Sometimes find the URL  https://web.archive.org .
   * Suggest adding project-related evidence as references to prove the patch, such as
     * CHANGELOGs, Release Notes, project blog posts.

 5/15/2026
  * Postmodern wanted the advisory filename prefix to be named: 1st choice: CVE, then GHSA, then OSVDB.

 5/23/2026
 * Regarding the PR reviews yesterday:
    * I (@jasnow) usually collects all of the necessary URLs and put them in the `related: / url` field 
       then pick one the above URL that is an advisory to use in the `url:` field. Never thought of it as
      duplicates and @postmodern never asked for the duplicate to be removed.
   * I found `dependabot` being used in 2023 but it stopped at some point. Also `.gitignore` file 
     contains Gemfile.lock file so @postmodern did not work gem upgrade PRs. 

 5/24/2026:
  * @postmodern wants this policy: `Omit patched_versions: if the GHSA has no patched version identifiers` as documented in https://github.com/rubysec/ruby-advisory-db/pull/664/changes
      More info at: https://github.com/rubysec/ruby-advisory-db/issues/157
 * As of today, I (@jasnow) will harvest/create advisory where the root `url:` value will be equal to the filename with a suffix.

 **MORE TO COME**
	Local advisory conventions that @postmodern and I (@jasnow) have used in the past and are not checked by "yamllint" or "rake" run.

	5/12/2026
	* The first step before submitting PRs is to run "yamllint" on the YAML files then run "rake". Both commands should find no issues. More info regarding yamllint [HERE](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml).
	* See PR #1022 regarding checking for correct YAML field indentation.
	* Field `related:/url:` is 4 blanks from left margin.
	* Field `patched_versions` and `unaffected_versions` are 2 blanks from left margin.
	* Postmodern likes:
	* Change "\|-" to "\|" on description: line.
	* Line wrap `descriptions:` and `title:` field at 80. (See [CONTRIBUTING.md](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml)). @jasnow usually uses 75 because of the 2-char field indent.

	5/13/2025
	* Postmodern likes:
	* Not use "\n" in `description:` field.
	* No "POC" in `description:` field. They will be flagged during `rake` run and removed during harvesting.
	* ruby YAML does not like embedded ":" characters.
	* Check all URLs for dead links. Sometimes find the URL https://web.archive.org .
	* Suggest adding project-related evidence as references to prove the patch, such as
	* CHANGELOGs, Release Notes, project blog posts.

	5/15/2026
	* Postmodern wanted the advisory filename prefix to be named: 1st choice: CVE, then GHSA, then OSVDB.

	5/23/2026
	* Regarding the PR reviews yesterday:
	* I (@jasnow) usually collects all of the necessary URLs and put them in the `related: / url` field
	then pick one the above URL that is an advisory to use in the `url:` field. Never thought of it as
	duplicates and @postmodern never asked for the duplicate to be removed.
	* I found `dependabot` being used in 2023 but it stopped at some point. Also `.gitignore` file
	contains Gemfile.lock file so @postmodern did not work gem upgrade PRs.

	5/24/2026:
	* @postmodern wants this policy: `Omit patched_versions: if the GHSA has no patched version identifiers` as documented in https://github.com/rubysec/ruby-advisory-db/pull/664/changes
	More info at: https://github.com/rubysec/ruby-advisory-db/issues/157
	* As of today, I (@jasnow) will harvest/create advisory where the root `url:` value will be equal to the filename with a suffix.

	MORE TO COME
No results found