security-advisories icon indicating copy to clipboard operation
security-advisories copied to clipboard

Published 20 hours ago verified publisher icon haskell

Disclosure policies

Open hasufell opened this issue 2 years ago • 6 comments
trafficstars

https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md

Has been disclosed without giving heads up to distributors (such as GHCup). Now GHCup is recommending a vulnerable version.

We can't recommend the latest cabal, because it has major regressions.

This makes us look bad. I need time to do a backport.

hasufell avatar Nov 16 '23 11:11 hasufell

The policy is documented here: https://github.com/haskell/security-advisories/blob/main/PROCESS.md#extent-of-disclosure . It looks like we are missing a point of contact for GHCup.

TristanCacqueray avatar Nov 16 '23 12:11 TristanCacqueray

Actually we have it (Mihai have sent an e-mail on July 17th with it).

The thing is, we do not have a secure place to store this kind of information, a private wiki or something should be set up.

blackheaven avatar Nov 16 '23 13:11 blackheaven

It looks like we are missing a point of contact for GHCup.

my email is in my github profile

hasufell avatar Nov 16 '23 13:11 hasufell

@hasufell if you lack of time, I can see if if I can handle it this Saturday, if you can give me the hints/links.

blackheaven avatar Nov 16 '23 21:11 blackheaven

This is on me too, I was not around when the release was done so I missed sending notifications to upstream. In future we'll probably need to add a synchronization step just before release to make sure this doesn't occur again

mihaimaruseac avatar Nov 17 '23 15:11 mihaimaruseac

I have backported and built my own bindists: https://github.com/haskell/ghcup-metadata/pull/158

Does anyone have an idea whether cabal developers created a regression test for this? I couldn't get information on that so far.

hasufell avatar Nov 17 '23 16:11 hasufell