You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: proposals/advisory-db.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,7 @@
1
1
# An Advisory Repository for Haskell
2
2
3
+
By David Thrane Christiansen
4
+
3
5
This is a Haskell Foundation project proposal.
4
6
5
7
## Abstract
@@ -10,7 +12,7 @@ This kind of tooling is nice for developers, and it can also be essential for ac
10
12
11
13
This proposal does not seek to present a complete solution. Instead, it presents a first step towards advisory automation: the establishment of a repository of advisories. GitHub has expressed interest in building support for such a database into Dependabot, their tool for notifying authors and adjusting bounds automatically, so we can gain real value very quickly, and then defer further development to the future. Future work will be explained in order to demonstrate that this proposal's outcome will be a useful foundation on which to build.
12
14
13
-
The overall strategy of this proposal is to avoid reinventing the wheel. We should, to the extent possible, do what other language communities do. In particular, I plan to copy the Rust approach.
15
+
The overall strategy of this proposal is to avoid reinventing the wheel. We should, to the extent possible, do what other language communities do. In particular, I plan to mostly copy the Rust approach.
14
16
15
17
## Background
16
18
@@ -26,9 +28,9 @@ Programs written in Haskell are not immune to security problems, notwithstanding
26
28
27
29
### Freeze Files and Build Files
28
30
29
-
A _build file_ describes constraints on the direct dependencies needed to build a project. Typically, a build file will Haskell build tools use the following formats for build files:
31
+
A _build file_ describes constraints on the direct dependencies needed to build a project. Typically, Haskell build tools use the following formats for build files:
30
32
*`.cabal` files are the native format used by `cabal-install`, and part of the configuration of a package that uses `stack`.
31
-
*`stack.yaml` files point the `stack` tool at a Stackage resolver, which contains a collection of packages that are tested and maintained in lockstep. When using Stack, the `.cabal` file often omits specific information about version bounds, because a Stackage resolver contains only one version of each package. The `stack.yaml` file can additionally point at additional dependencies, such as from a Git repository.
33
+
*`stack.yaml` files point the `stack` tool at a Stackage resolver, which contains a collection of packages that are tested and maintained in lockstep. When using Stack, the `.cabal` file often omits specific information about version bounds, because a Stackage resolver contains only one version of each package. The `stack.yaml` file can also point at additional dependencies, such as from a Git repository.
32
34
*`package.yaml` files are used by `hpack` to generate `.cabal` files, filling out a number of default values by inspecting the code.
33
35
*`cabal.project` files configure the relationship between a collection of packages in a repository, and can do things like specifying alternate sources for dependencies, much like a `stack.yaml` file.
34
36
@@ -80,7 +82,7 @@ The people involved in executing this proposal, if accepted, are:
80
82
81
83
### File Format
82
84
83
-
The file format for advisories is based on that of RustSec, with changes made only for compatibility with Haskell tooling and concepts. An advisory consists of a Markdown file, the first element of which must be a fenced code block written in the `toml` language. This block contains the advisory's structured metadata.
85
+
The file format for advisories is based on that of RustSec, with changes made for compatibility with Haskell tooling and concepts. An advisory consists of a Markdown file, the first element of which must be a fenced code block written in the `toml` language. This block contains the advisory's structured metadata.
84
86
85
87
The TOML frontmatter must contain a table called `advisory` and a table called `versions`, and it may contain a table called `affected`. The `advisory` table contains the following fields, all of which are mandatory unless otherwise indicated:
86
88
*`id`, a string, which is a unique identifier. This string should have the form `HSEC-YYYY-NNNN`, where `YYYY` is the year and `NNNN` is a sequential numbering beginning at `0001`.
0 commit comments