From 5d139b2cf99ff5df9013c3842b0b0c042f552e5e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 4 Apr 2024 06:35:47 +1000 Subject: [PATCH] meeting notes: 2024-04-03 --- meeting-notes/2024-04-03.md | 68 +++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 meeting-notes/2024-04-03.md diff --git a/meeting-notes/2024-04-03.md b/meeting-notes/2024-04-03.md new file mode 100644 index 00000000..5cd3d9a3 --- /dev/null +++ b/meeting-notes/2024-04-03.md @@ -0,0 +1,68 @@ +# SRT meeting 2024-04-03 + +Previous meeting notes: +https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md + +## ZuriHac / Haskell Ecosystem Workshop + +- Fraser is going +- Gautier is going +- Mihai will know on Friday if he is attending +- Tristan cannot attend + +## Quarterly report + +- Draft: https://github.com/haskell/security-advisories/pull/180 +- FT asked Mihai to contribute a section for the CI security + recommendations. + +## VINCE + +- FT reached out to CERT/CC to ask for help +- `security-advisories@haskell.org` is notification-only. +- We should make individual accounts (TOTP required) and they can be + associated with the "Haskell Programming Language" org within + VINCE. + +## GitHub Actions Runners + +- The reporter was asking what the resolution was. +- Mihai will create a PR with the guidelines documentation and + contact the repo and reporter. +- We cannot fix globally because there is not a single org with all + the Haskell. But we can provide the guidance and recommendations + to the community. + +## A "security" section within haskell.org + +- Jose: Is there a place for collecting ecosystem-wide best + practices? (whether for security, or more generally) +- We would like a section within haskell.org where our + recommendations and info about the advisory DB lives. A more + "official" documentation about Haskell security and the SRT. +- Perhaps also the wiki. + +## liblzma/xz vulnerability? + +- The backdoor was inserted using binary data from test suite, and + only during RPM/.deb builds. Even if code was lifted and used in + cbits, the backdoor probably would not be there. +- But we should still verify. FT will ask Casey. + +## yaml vulnerability + +- Impact and exploitability vector are not clear enough to offer + remediation advice. +- FT will create the advisory. +- We need to check if other yaml packages are affected. + +## Pull requests + +- [cabal audit (#148)](https://github.com/haskell/security-advisories/pull/148) + - The author is keen on making changes if any more feedback + - He is afraid of going forward with other contributions if he has to rebase +- [cabal audit osv/json (#178)](https://github.com/haskell/security-advisories/pull/178) + +- [hsec-sync (#168)](https://github.com/haskell/security-advisories/pull/168) (merged) +- [hsec-tools snapshot (#179)](https://github.com/haskell/security-advisories/pull/179) + - FT: we want to avoid switching TOML library (again), if we can.