meeting notes: 2023-10-18, 2023-11-01

Author: frasertweedale

meeting-notes/2023-10-18.md

@@ -0,0 +1,32 @@
+# SRT meeting 2023-10-18
+
+[Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-10-04.md)
+
+## Present
+
+- Tristan, Gautier and Fraser
+
+## Previous AIs
+
+- PR have been merged
+
+## Remaining work to be merged
+
+- CWE and CVSS validation and data type
+- Work on GitHub workflow automation enhancement can proceed when this has been merged.
+    - FT: As far as I know, we have to pursue a webhook or "bot" approach
+      rather than exeucting behaviour within webhooks, because PRs from
+      forks do not have privileged tokens.
+    - Tristan: what about issues?  Do actions triggered by issues have the needed permissions?
+    - OpenStack CI has a concept of config job which can run with privileged on untrusted project.
+
+## Downstream tooling
+
+- David's post calling for action:
+  https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638
+- Gautier: community contribution that was merged as part of the `check` command: https://github.com/blackheaven/security-advisories/pull/2
+
+## Outstanding embargoed issue
+
+- Follow up with Mihai if he knows the status.  We might
+  set a date for disclosure and advise downstream and upstream

meeting-notes/2023-11-01.md

@@ -0,0 +1,27 @@
+# SRT meeting 2023-11-01
+
+Previous notes: https://edit.smart-cactus.org/cpEZf5ykQZGowfAzI3OPcA?both#
+
+## Present
+
+- Tristan, Gautier and Fraser
+
+
+## CVSS
+
+- Tristan is working through the TODOs.
+
+## GitHub automation
+
+- Fraser is hoping to start work during the next 2 weeks.
+
+
+## Outstanding embargoed issue
+
+- Follow up with Mihai if he knows the status.  We might
+  set a date for disclosure and advise downstream and upstream
+  
+## Quarterly report
+
+- We are overdue for the Q3 report.  Fraser will draft
+  a report in the next period.