-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
abee98b
commit 5d139b2
Showing
1 changed file
with
68 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| # SRT meeting 2024-04-03 | ||
|
|
||
| Previous meeting notes: | ||
| https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md | ||
|
|
||
| ## ZuriHac / Haskell Ecosystem Workshop | ||
|
|
||
| - Fraser is going | ||
| - Gautier is going | ||
| - Mihai will know on Friday if he is attending | ||
| - Tristan cannot attend | ||
|
|
||
| ## Quarterly report | ||
|
|
||
| - Draft: https://github.com/haskell/security-advisories/pull/180 | ||
| - FT asked Mihai to contribute a section for the CI security | ||
| recommendations. | ||
|
|
||
| ## VINCE | ||
|
|
||
| - FT reached out to CERT/CC to ask for help | ||
| - `[email protected]` is notification-only. | ||
| - We should make individual accounts (TOTP required) and they can be | ||
| associated with the "Haskell Programming Language" org within | ||
| VINCE. | ||
|
|
||
| ## GitHub Actions Runners | ||
|
|
||
| - The reporter was asking what the resolution was. | ||
| - Mihai will create a PR with the guidelines documentation and | ||
| contact the repo and reporter. | ||
| - We cannot fix globally because there is not a single org with all | ||
| the Haskell. But we can provide the guidance and recommendations | ||
| to the community. | ||
|
|
||
| ## A "security" section within haskell.org | ||
|
|
||
| - Jose: Is there a place for collecting ecosystem-wide best | ||
| practices? (whether for security, or more generally) | ||
| - We would like a section within haskell.org where our | ||
| recommendations and info about the advisory DB lives. A more | ||
| "official" documentation about Haskell security and the SRT. | ||
| - Perhaps also the wiki. | ||
|
|
||
| ## liblzma/xz vulnerability? | ||
|
|
||
| - The backdoor was inserted using binary data from test suite, and | ||
| only during RPM/.deb builds. Even if code was lifted and used in | ||
| cbits, the backdoor probably would not be there. | ||
| - But we should still verify. FT will ask Casey. | ||
|
|
||
| ## yaml vulnerability | ||
|
|
||
| - Impact and exploitability vector are not clear enough to offer | ||
| remediation advice. | ||
| - FT will create the advisory. | ||
| - We need to check if other yaml packages are affected. | ||
|
|
||
| ## Pull requests | ||
|
|
||
| - [cabal audit (#148)](https://github.com/haskell/security-advisories/pull/148) | ||
| - The author is keen on making changes if any more feedback | ||
| - He is afraid of going forward with other contributions if he has to rebase | ||
| - [cabal audit osv/json (#178)](https://github.com/haskell/security-advisories/pull/178) | ||
|
|
||
| - [hsec-sync (#168)](https://github.com/haskell/security-advisories/pull/168) (merged) | ||
| - [hsec-tools snapshot (#179)](https://github.com/haskell/security-advisories/pull/179) | ||
| - FT: we want to avoid switching TOML library (again), if we can. |