-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
51b5859
commit 6ec478d
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # SRT meeting 2024-05-01 | ||
|
|
||
| Previous notes: | ||
| https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-04-17.md | ||
|
|
||
| ## CI security advice | ||
|
|
||
| - Mihai published the draft: | ||
| https://github.com/haskell/security-advisories/blob/main/guides/github.md | ||
| - A couple more comments to handle, then it will be published to Discourse | ||
|
|
||
| ## Web area for SRT | ||
|
|
||
| - FT will work to bootstrap this. We can publish our guides, | ||
| reports, and general information there. | ||
|
|
||
| ## Publishing our packages to Hackage | ||
|
|
||
| - FT will begin on this in the next week. | ||
| - Discussion: do we want to set up auto-publish from GitHub? | ||
| - There is a GHA by Brandon Chinn to publish to Hackage. | ||
| - https://github.com/fourmolu/fourmolu/blob/main/.github/workflows/release.yml | ||
| - Does it work with subpackages? We would need to see. | ||
| - From supply chain security POV it's better to have an action | ||
| than having developers make the dist and publish themselves. | ||
| - Maybe this is a good topic for our second *guide* and/or a tool | ||
| to validate release tarball from the sources :) | ||
| - We will look into this after the initial package release to Hackage. | ||
|
|
||
| ## New meeting time | ||
|
|
||
| - The when2meet tool does not seem to take timezones into account? | ||
| - We might need a second round / better tool :) | ||
| - FT will look for a better tool. Or else use same tool but in UTC. | ||
|
|
||
| ## The expanding scope of SRT | ||
|
|
||
| - With cabal-audit proposed for our repo, the scope has expanded. | ||
|
|
||
| - Advisory workload is low, so team does have capacity to own this | ||
|
|
||
| - FT: I see cabal-audit as a transitional effort anyway; ideally we | ||
| do not have to own it forever and the capability can be absorbed | ||
| into Cabal itself. | ||
|
|
||
| - Idea: cabal-audit lives in its own repo, not security-advisories repo | ||
| - Prerequisite: publish our packages | ||
| - Advantage: not "owned" by SRT, others might be more eager/willing to contribute. | ||
| - We will have the discussion in public, with the contributor MangoIV. |