Disclosure policies #129
Comments
|
The policy is documented here: https://github.com/haskell/security-advisories/blob/main/PROCESS.md#extent-of-disclosure . It looks like we are missing a point of contact for GHCup. |
|
Actually we have it (Mihai have sent an e-mail on July 17th with it). The thing is, we do not have a secure place to store this kind of information, a private wiki or something should be set up. |
my email is in my github profile |
|
@hasufell if you lack of time, I can see if if I can handle it this Saturday, if you can give me the hints/links. |
|
This is on me too, I was not around when the release was done so I missed sending notifications to upstream. In future we'll probably need to add a synchronization step just before release to make sure this doesn't occur again |
|
I have backported and built my own bindists: haskell/ghcup-metadata#158 Does anyone have an idea whether cabal developers created a regression test for this? I couldn't get information on that so far. |
https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md
Has been disclosed without giving heads up to distributors (such as GHCup). Now GHCup is recommending a vulnerable version.
We can't recommend the latest cabal, because it has major regressions.
This makes us look bad. I need time to do a backport.
The text was updated successfully, but these errors were encountered: