security-advisories icon indicating copy to clipboard operation
security-advisories copied to clipboard

Published 20 hours ago verified publisher icon haskell

advisory distribution and caching mechanisms

Open frasertweedale opened this issue 11 months ago • 1 comments

Downstream tools need to retrieve, cache and process advisory data. Syncing our Git repo is one way to do it, but

  • Our repo contains tool code and other SRT artifacts, which the consumers do not need
  • This approach depends on the Git CLI tools. It may be brittle as Git evolves over time, and consumers could have different Git versions.

In favour of Git is that, well, it is the original data. We don't have to do any extra exports or anything special to propagate the "out of band" advisory data that we derive from the Git history (published and modified dates).

We should consider designing an archive/cache format that:

  • Provides the current advisory data including fields derived from Git history
  • Is efficient for queries
  • Does not contain irrelevant SRT artifacts
  • Does not depend on Git
  • Can be cached (avoid unnecessary data transfer when local cache is up to date)

frasertweedale avatar Mar 20 '24 22:03 frasertweedale