Security Working GroupΒ #15
Description
A note to be fleshed out into a proposal -- the github advisory database team is looking for collaboration opportunities here, and the rust secure code wg may have some things to offer in inspiration (https://github.com/rust-secure-code/wg)
Some basic components: a database (perhaps bootstrapping off the github database), a way to publish and verify CVEs, and integrated hackage/cabal querying to warn about bad deps, perhaps auto-hooked to the solver.
Also: a trusted team and point of contact (ghc already now has one). Not sure what the other components of "good" ecosystem-wide security practices are, but this is a start, and more suggestions are welcome.