offer API to request security advisories

[MangoIV]

Summary

it would be nice if we could serve an api that gives back the advisories that is continuously deployed; currently the only way is cloning the repo or parsing the html of the website; neither is immensely efficient

[blackheaven]

I will work on a library for that since other consummers (e.g. hackage/flora) will need such a mechanism

[MangoIV]

if you want to create the API I can do the server, if you want or vice versa...

[blackheaven]

Thanks, don't worry, I'll pack it into a library.

[MangoIV]

Where’s this hosted?

[frasertweedale]

I think this was closed by mistake.

[MangoIV]

@frasertweedale i unfortunately cannot reopen, would you do that for me? Thanks in advance!

[MangoIV]

Perfect, thank you! ❤️

[blackheaven]

Actually I think it was fix with hsec-sync, but maybe I did not understood the problem correctly.

Do you need a way to have a synchronized local copy, or a list of the published advisories?

[MangoIV]

well; it would be good if we wouldn't require a user to git clone the repository but instead be able to just send a request to some API which can

• give you an update on an advisory, given its ID
• give you all of the advisories, independent of the repo

If you wish, I can build this, I have become very swift at building servant servers ;)

[blackheaven]

I see, yes, hsec-sync is currently not the best way to achieve that.

On another hand I'm quite worried about this approach for project check as it would end-up with a lot of back-and-forth with the server, moreover I'm reluctant to have the HF host a service (any managed static file hosting would be better).

I think it's better to:

1. Ensure to have a local copy
2. Query against it

I plan to tackle an archive format (without git, #170), tomorrow and/or on Monday, so it will remove a dependency.

[MangoIV]

On another hand I'm quite worried about this approach for project check as it would end-up with a lot of back-and-forth with the server, moreover I'm reluctant to have the HF host a service (any managed static file hosting would be better).

can you elaborate on that? I don’t understand why it would require a lot of back and forth.

I think it’s fair if the HF doesn’t want to host something like that, especially given that we’d probably have to think about the trust model of something like that but I would at least strive to get something like that.

[blackheaven]

can you elaborate on that? I don’t understand why it would require a lot of back and forth.

I mean, each time a cabal audit would be triggered may requests (or a big one) would be sent to the server, which will put a lot of pressure with hard-to-cache queries.

I think it’s fair if the HF doesn’t want to host something like that, especially given that we’d probably have to think about the trust model of something like that but I would at least strive to get something like that.

I speak only for myself, but running a service that sensitive does not seem to be a good idea.

It would take more effort to run it ourselves rather than using a static hosting solution (we would have a better availability and it would be easier to secure, not to mention distribution with CDNs).

[frasertweedale]

@blackheaven I think the ask here is an API for submitting new advisories to the database. For example, it could create a pull request that the SRT can then review and merge (or not).

I don't think this is about an API for querying the advisory DB.

edit no, I read the description more carefully, I think the ask is what Gautier thought it was.

In which case I pretty much agree - I don't think hosting an API for querying data is a priority for us. Rather, an archive format and a single artifact hosted somewhere is what we are aiming for, currently.

[MangoIV]

I mean I’d be fine with single artifact. But if that’s planned anyway, I think I can close this.