-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
795630c
commit 945aba6
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| # SRT 2023-06-28 | ||
|
|
||
| ## Previous Action Items | ||
|
|
||
| - Fraser did not yet draft the SRT announcement | ||
| - We still have several known issues yet to have the advisories submitted | ||
|
|
||
| ## Library advisory role-play | ||
|
|
||
| - For multiple affected packages, where root cause is in a | ||
| lower-level dependency: we MUST mention the "root" package, and | ||
| SHOULD mention dependent packages that specifically mitigate the | ||
| issue. So that tooling (e.g. cabal audit) can deduce that the | ||
| issue is not occurring. | ||
|
|
||
| - Upcoming "vex" standard: | ||
| - https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms | ||
| - https://cyclonedx.org/capabilities/vex/ | ||
|
|
||
|
|
||
| ## OSV export | ||
|
|
||
| - demo | ||
| - branch name | ||
| - **decision: `generated/osv-export`** | ||
| - git "user id" (name and email address) | ||
| - Haskell Security Response Team <security-advisories@haskell.org> | ||
| - commit message | ||
| - currently just the timestamp | ||
| - could include a reference to commit ID and/or commit message from the `main` branch | ||
| - **Decision**: include source commit ID in OSV branch commit message | ||
| - Casey: what about signing the commits? | ||
| - FT: then the private key needs to live in GitHub secrets. Not thrilled about it. | ||
| - sigstore? What sort of GitHub actions integration do they have? | ||
| - https://github.com/sigstore/gitsign | ||
| - **Decision: investigate further** | ||
|
|
||
|
|
||
| ## Real advisories | ||
| (redacted) | ||
|
|
||
| ## Distributor notification | ||
|
|
||
| - We should have a directory of important distributors so that they can | ||
| respond to issues. | ||
| - Commit the checklist / playbook to the repo. | ||
| - **Owner: Tristan** | ||
| - Who: | ||
| - Stack, GHCup, haskell-ci? | ||
| - Linux distros | ||
|
|
||
| ## Advisory "official launch" | ||
|
|
||
| - still needs to draft announcement (David will draft and send to mailing list) | ||
| - Also need to do quarterly report, so can roll them into one announcement :) | ||
|
|
||
| ## Action items | ||
| - Tristan: will adapt responsible disclosure instructions | ||
| - Fraser: complete OSV data export CI action | ||
| - David: will draft announcement/report for group | ||
| - Tristan: Will email mailing list about **<redacted>** issue and affected packages |