-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
meeting notes: 2023-10-18, 2023-11-01
- Loading branch information
1 parent
09bb965
commit 6433a80
Showing
2 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # SRT meeting 2023-10-18 | ||
|
|
||
| [Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-10-04.md) | ||
|
|
||
| ## Present | ||
|
|
||
| - Tristan, Gautier and Fraser | ||
|
|
||
| ## Previous AIs | ||
|
|
||
| - PR have been merged | ||
|
|
||
| ## Remaining work to be merged | ||
|
|
||
| - CWE and CVSS validation and data type | ||
| - Work on GitHub workflow automation enhancement can proceed when this has been merged. | ||
| - FT: As far as I know, we have to pursue a webhook or "bot" approach | ||
| rather than exeucting behaviour within webhooks, because PRs from | ||
| forks do not have privileged tokens. | ||
| - Tristan: what about issues? Do actions triggered by issues have the needed permissions? | ||
| - OpenStack CI has a concept of config job which can run with privileged on untrusted project. | ||
|
|
||
| ## Downstream tooling | ||
|
|
||
| - David's post calling for action: | ||
| https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638 | ||
| - Gautier: community contribution that was merged as part of the `check` command: https://github.com/blackheaven/security-advisories/pull/2 | ||
|
|
||
| ## Outstanding embargoed issue | ||
|
|
||
| - Follow up with Mihai if he knows the status. We might | ||
| set a date for disclosure and advise downstream and upstream |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # SRT meeting 2023-11-01 | ||
|
|
||
| Previous notes: https://edit.smart-cactus.org/cpEZf5ykQZGowfAzI3OPcA?both# | ||
|
|
||
| ## Present | ||
|
|
||
| - Tristan, Gautier and Fraser | ||
|
|
||
|
|
||
| ## CVSS | ||
|
|
||
| - Tristan is working through the TODOs. | ||
|
|
||
| ## GitHub automation | ||
|
|
||
| - Fraser is hoping to start work during the next 2 weeks. | ||
|
|
||
|
|
||
| ## Outstanding embargoed issue | ||
|
|
||
| - Follow up with Mihai if he knows the status. We might | ||
| set a date for disclosure and advise downstream and upstream | ||
|
|
||
| ## Quarterly report | ||
|
|
||
| - We are overdue for the Q3 report. Fraser will draft | ||
| a report in the next period. |