Fwd: Cabal security advisory proposal

Theophile Hécate Choutri hecate at haskell.foundation
Sun Jul 2 19:46:21 UTC 2023


Hi everyone,
We have received another proposal regarding the Sovereign Tech Fund grants.

I'd be happy to spend some time on Thursday to make sure we're on the same
page.

In the meantime, please do not hesitate to provide feedback.

Cheers,
Hécate

---------- Forwarded message ---------
From: Trevis Elser <trevis at flipstone.com>
Date: Sun, 2 Jul 2023 at 17:27
Subject: Cabal security advisory proposal
To: hecate at haskell.foundation <hecate at haskell.foundation>


Hi there!

You may have heard the German government is accepting proposals to work on
OSS (https://sovereigntechfund.de/en/challenges/).

I'm working on putting together a submission for my employer, Flipstone, to
add a cabal feature allowing a check of dependencies against the new
security advisories database.

@David Thrane Christiansen Suggested reaching out to you to get any
suggestions in submitting this and to see if you might have anything for us
to add particularly to the section that is as follows:
"Describe your relationship to the maintainers of this technology. Are you
yourself the maintainer? Do they know you plan to do this work and do they
support it? Please tell us more about how you obtained their support and
how you plan to work together to make sure your contributions are accepted."

For what it's worth my thought is that we'd use the external command
functionality that I've seen you've contributed to at
https://github.com/haskell/cabal/pull/9063 to at least initially build this
out and then perhaps work to get it merged or not.

Finally, I'd love to hear if you have thoughts on accurately representing
cabal for the questions:

"How are decisions regarding this technology's development made? Please
describe the project's governance model."

and

"How does this project handle security risks? Are there policies,
procedures, or tools in place to minimize the introduction of
vulnerabilities or undesired contributions?"


Thanks so much for your time!

-- 
Trevis Elser | Chair Stability Working Group | Software Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/cabal-devel/attachments/20230702/00229215/attachment.html>


More information about the cabal-devel mailing list