meeting notes: 2024-01-10

Author: frasertweedale

meeting-notes/2024-01-10.md

@@ -0,0 +1,31 @@
+# SRT meeting 2024-01-10
+
+Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-12-13.md
+
+
+## 2023 H2 report
+
+- Draft sent to list; thanks for reviews.  FT will publish today.
+
+## ZuriHac plans
+
+- We agree it's a good idea to have a project, e.g. `cabal audit`, Hackage server.
+- Timeline: Jan for concept, March for concrete budget.
+- Jose has contact points with cabal-install and HLS.  hackage-server seems somewhat unloved.
+- Maybe we prioritise getting hackage-server attention?
+  - Many security improvment should/could be done (e.g. 2FA)
+- Can continue the discussion on list or GH issue (public).
+
+## Oustanding PRs
+
+- CWE library support.
+
+## Downstream toolling
+
+- Tristan already started something regarding tracking function calls 
+https://github.com/TristanCacqueray/cabal-audit
+- Support to suppress false positives will be important, esp. because we have >0 advisories for *base*.  This could be VEX and/or some other mechanism.
+
+## Publishing the HTML advisory index
+
+- Mihai: I was planning to look into the GHA but didn't get a chance yet