|
| 1 | +# SRT 2023-07-26 |
| 2 | + |
| 3 | +## osv.dev |
| 4 | + |
| 5 | +- Hackage advisories are in production now |
| 6 | +- Version enumeration for Hackage and GHC was merged |
| 7 | +- Outstanding task: add examples to osv-schema |
| 8 | + - Mihai has PR in the works |
| 9 | + |
| 10 | +## Update on handling embargoed stuff |
| 11 | + |
| 12 | +- Gathering contact points for downstream |
| 13 | +- Someone needs to connect the dots to send messages |
| 14 | +- Contact list needs to be committed somewhere |
| 15 | + - Private contacts not be in the repo... so where? |
| 16 | + - Stored encrypted version in the security-advisories repo? |
| 17 | + - no |
| 18 | + - Use HF bitwarden account? (access/modify via HF admin access) |
| 19 | + - agreed |
| 20 | + |
| 21 | +## What should be part of the database format? |
| 22 | + |
| 23 | +- Repo data storage / semantics. David has some concerns: |
| 24 | + - Symlinks. Doesn't work well on Windows? |
| 25 | + - dates being stored in Git repo |
| 26 | + |
| 27 | +## Audit GHCup download practices |
| 28 | + |
| 29 | +- https://github.com/haskell/ghcup-hs/issues/858 |
| 30 | +- FT's comments: https://github.com/haskell/ghcup-hs/issues/858#issuecomment-1639300092 |
| 31 | + |
| 32 | +## Reserving HSEC IDs |
| 33 | + |
| 34 | +- It would be useful to be able to reserve an HSEC ID |
| 35 | +- FT will propose a way to do it (discuss it in a GH issue) |
| 36 | + |
| 37 | +## Any other known historical (or current) issues? |
| 38 | + |
| 39 | +- Pandoc |
| 40 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-38745 |
| 41 | + - https://nvd.nist.gov/vuln/detail/CVE-2023-35936 |
| 42 | + |
| 43 | +## Action items |
| 44 | + - Mihai |
| 45 | + - Will follow up for project contacts for embargoed issues |
| 46 | + - Look into GHCup #858 |
| 47 | + - Everyone |
| 48 | + - Send David the email address used by your Bitwarden account |
| 49 | + so it can be added to HF's organization. |
| 50 | + - FT |
| 51 | + - Documentation of repo structure, including symlinks |
| 52 | + - Documentation about dates - that they are retieved from Git history |
| 53 | + - full history required, not shallow clone |
| 54 | + - Create GH issue to design HSEC ID reservation feature |
| 55 | + - re Base readFloat, update bgamari that advisory exists |
| 56 | + - ping pandoc folks, ask them to submit advisories |
| 57 | + - someone |
| 58 | + - Requirements/guidelines for dependency analysis tooling |
| 59 | + - Start writing them down, commit to our repo |
0 commit comments