Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disclosure policies #129

Open
hasufell opened this issue Nov 16, 2023 · 6 comments
Open

Disclosure policies #129

hasufell opened this issue Nov 16, 2023 · 6 comments

Comments

@hasufell
Copy link
Member

https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md

Has been disclosed without giving heads up to distributors (such as GHCup). Now GHCup is recommending a vulnerable version.

We can't recommend the latest cabal, because it has major regressions.

This makes us look bad. I need time to do a backport.

@TristanCacqueray
Copy link
Collaborator

The policy is documented here: https://github.com/haskell/security-advisories/blob/main/PROCESS.md#extent-of-disclosure . It looks like we are missing a point of contact for GHCup.

@blackheaven
Copy link
Collaborator

Actually we have it (Mihai have sent an e-mail on July 17th with it).

The thing is, we do not have a secure place to store this kind of information, a private wiki or something should be set up.

@hasufell
Copy link
Member Author

It looks like we are missing a point of contact for GHCup.

my email is in my github profile

@blackheaven
Copy link
Collaborator

@hasufell if you lack of time, I can see if if I can handle it this Saturday, if you can give me the hints/links.

@mihaimaruseac
Copy link
Collaborator

This is on me too, I was not around when the release was done so I missed sending notifications to upstream. In future we'll probably need to add a synchronization step just before release to make sure this doesn't occur again

@hasufell
Copy link
Member Author

I have backported and built my own bindists: haskell/ghcup-metadata#158

Does anyone have an idea whether cabal developers created a regression test for this? I couldn't get information on that so far.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants