meeting notes: 2024-05-29

meeting-notes/2024-05-29.md

@@ -0,0 +1,52 @@
+# SRT meeting 2024-05-29
+
+Previously:
+https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-15.md
+
+## publishing  our tools on Hackage
+
+- Packages: cvss, osv, hsec-core, hsec-tools, hsec-sync
+- FT will upload.  Just asking if there are further comments about
+  version numbers, dep version constraints, etc?
+- Co-maintainers - who, and what are your Hackage usernames?
+  - `gdifolco`
+  - `TristanCacqueray`
+
+## SRT members, moving forward
+
+- Casey has limited time
+- We're at the 1y point, time for a new call?
+- Updating the charter: Casey thinks we should expand it to be more
+  involved with the tooling (within and without ecosystem)
+
+- Remember the original motivation: supporting enterprise adoption.
+  - e.g. financial industry - how well do we meet their standards?
+  - Survey industry users to understand what is lacking?
+  - [FT] FIPS mode, verified crypto libraries (i.e. back on to
+    OpenSSL/NSS/etc)
+
+- What is missing:
+  - SBOM? ("software provenance")
+  - Larger discovery effort?
+  - OSS-Fuzz support?
+  - OpenSSF best practices:
+    https://www.bestpractices.dev/en/criteria/0 ?
+
+- SRT has some context-switching.  Should we have separate subgroups
+  for triage / tool development / etc?
+
+- We can discuss on list over the coming days, and engage with folks
+  at ZuriHac to determine the next move.  General agreement that we
+  can/should grow the team.
+
+- Retirements: Casey will step back.  (Thank you for all you've
+  done!)
+
+## YAML advisory has been rejected ([#181](https://github.com/haskell/security-advisories/issues/181))
+
+- FT will ask Julian if he is satisfied with this conclusion.
+
+## deps.dev
+
+- FT received message from deps.dev developer at Google.  Still need
+  to follow up.