|
| 1 | +# SRT meeting 2023-08-09 |
| 2 | + |
| 3 | +[Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-07-26.md) |
| 4 | + |
| 5 | +## Previous AIs: |
| 6 | + |
| 7 | + - Mihai |
| 8 | + - Will follow up for project contacts for embargoed issues |
| 9 | + - Look into GHCup #858 -- still in progress |
| 10 | + - Everyone |
| 11 | + - Send David the email address used by your Bitwarden account |
| 12 | + so it can be added to HF's organization. |
| 13 | + - FT |
| 14 | + - Documentation of repo structure, including symlinks |
| 15 | + - Documentation about dates - that they are retieved from Git history |
| 16 | + - full history required, not shallow clone |
| 17 | + - Create GH issue to design HSEC ID reservation feature |
| 18 | + - re Base readFloat, update bgamari that advisory exists |
| 19 | + - ping pandoc folks, ask them to submit advisories |
| 20 | + - someone |
| 21 | + - Requirements/guidelines for dependency analysis tooling |
| 22 | + - Start writing them down, commit to our repo |
| 23 | + |
| 24 | +## Pandoc |
| 25 | + |
| 26 | +- New pandoc issue: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g |
| 27 | +- Related issue: https://github.com/jgm/pandoc/issues/8584 |
| 28 | +- Security section of manual: https://pandoc.org/MANUAL.html#a-note-on-security |
| 29 | + |
| 30 | + |
| 31 | +## Recording affected symbols |
| 32 | + |
| 33 | +- Tristan looking into it |
| 34 | +- Some doubts about how to record e.g. type class instances |
| 35 | +- GitHub issue we can use for discussion: https://github.com/haskell/security-advisories/issues/86 *"Leverage the declaration field to specify which function is affected"* |
| 36 | + |
| 37 | + |
| 38 | +## ID reservation |
| 39 | + |
| 40 | +- PR: https://github.com/haskell/security-advisories/pull/114 |
| 41 | +- `hsec-tools reserve-id --assign --commit` |
| 42 | +- TODO: add diagnostic output e.g. "Reserved HSEC-YYYY-NNNN.md" |
| 43 | + |
| 44 | + |
| 45 | +## Publishing hsec-tools to hackage? |
| 46 | + |
| 47 | +- We should probably do it some time :) |
| 48 | +- Maybe extract OSV library first, and land the toml library change first |
| 49 | + |
| 50 | +## Purl parsing |
| 51 | + |
| 52 | +- [spec](https://github.com/package-url/purl-spec) |
| 53 | +- [Hackage](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hackage) |
| 54 | +- Casey started work on this |
| 55 | +- We should define and propose to haskell community a *profile* of Purl, in particular how to represent |
| 56 | + - Package components (`lib`, `exe:<name>`, `lib:<name>`) |
| 57 | + - Cabal flags (`[+-]<flag-name>`) |
| 58 | + - There is a hackage namespace defined for Purl, but it does not suggest how to represent these data |
| 59 | + |
| 60 | + |
| 61 | +## Action Items |
| 62 | + - Bitwarden accounts? |
| 63 | + - Mihai: |
| 64 | + - Progress on embargoed items |
| 65 | + - Look into GHCup #858 -- still in progress |
| 66 | + - Tristan: rebase the toml-parser PR#88 |
| 67 | + |
| 68 | + - David: Encourage Pandoc devs to test out our advisory process |
| 69 | + - FT: Documentation of repo structure |
| 70 | + - FT: Diagnostic output (created file XYZ) |
| 71 | + - FT to publish PR for (currently WIP) enhancement to record package components in HSEC security-advisories |
0 commit comments