meeting notes: 2024-09-04

meeting-notes/2024-09-04.md

@@ -0,0 +1,45 @@
+# SRT meeting 2024-09-04
+
+Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-08-21.md
+
+## HSEC-2024-0003 - process fix
+
+- PR [#324](https://github.com/haskell/process/pull/324) published (expect merge and release soon)
+- HSEC-2024-0003 advisory update draft PR: [#236](https://github.com/haskell/security-advisories/pull/236)
+
+## *Trusted publishing* for Hackage
+
+- Token workflow
+- Hackage supports token authn today, but they are unscoped
+- See also PyPI implementation: https://docs.pypi.org/trusted-publishers/
+  - Project page references the trusted repo
+  - GHA uses OIDC to auth to PyPI and get short-lived (minutes) token
+  - GHA or publishing workflow uses the token to publish new package version.
+
+## Roadmap of ecosystem security improvements
+
+- Man years of effort are already known :)
+- We should write it all down in an disgestible form.
+- Might make getting funding easier?
+  - Menu / prospectus
+
+### New ideas
+
+- RTS fuzzing (Mihai)
+  - or general fuzzing tooling for Haskell programmers
+
+## haskell-security-action (GHA)
+
+- Gautier published draft GHA for detecting security
+  issues and bumping bounds (using [cabal-audit](https://github.com/MangoIV/cabal-audit/pull/50))
+- GHA draft: https://github.com/blackheaven/haskell-security-action
+- Playground: https://github.com/blackheaven/vulnerable-sandbox/ 
+- Please review and test!
+- Still a lot of work on it: correct file name/line, fix propositions, PR creation, etc.
+
+## Call for volunteers
+
+- Jose's draft is good.
+- How many: "around two or three more members"
+- Closing date: end of September.
+- Fraser will be primary collector of submissions