Haskell security tooling integrations#69
Conversation
1abe46a to
0e8cd22
Compare
|
I think making security information accessible is an important goal. What I'm not sure about is whether:
is the right way to go. For 1. we have cabal's external command system: https://cabal.readthedocs.io/en/stable/external-commands.html and distributors (such as ghcup) are free to bundle other tools. I don't see that as a complicated problem, but it may require us to improve certain interfaces in cabal (which is good). Point 2. is quite delicate. Once syntax is added, it's hard to ever get rid of it. I'm also not entirely sure why the security vulnerability data has to live in the I think we should be able to provide an out-of-the-box experience without moving all that functionality into cabal. |
|
I strongly agree that it would be great to have security advisory information be more prominently accessible in general and part of the usual workflow of application and package maintainers. |
|
I do think that extending hackage with this data would be a good thing, bearing in mind other efforts on the hackage codebase that may affect when and how it makes sense to implement this. On a cabal command vs plugin, I do worry that extending the cabal executable rather than using plugins will further bloat an already very complicated codebase. If there are significant advantages to integration that's reasonable (or if there's a long-term accepted plan to integrate security information with existing cabal commands). However, if the desired interaction is effectively the same with a plugin model, I'd urge the plugin model be kept for now. And finally, I agree with others that extending the Further, since the data about security advisories is already kept in the security advisory database, this would create a competing, and probably imperfect second source of truth. Much better to have a single reliable source that everything can use than two sources, one of which is less reliable. If the goal is to improve usage of security advisory data, I might want to take a step back and ask how significant projects already do security advisory audits. Do they have tools for that already that work over other portions of their codebase? Would it be possible instead to ensure those tools work well with the haskell ones? |
…on#69 feedback - Reclassify as RFC; restructure to RFC template sections - Add Prior Art and Related Efforts (cabal-audit, cabal-plan-submit, cabal external-command/plugin system, Hackage improvement, flora.pm) - Reframe cabal audit to use the external-command/plugin system plus distributor bundling rather than a built-in command - Drop the .cabal/cabal.project syntax extension; document the rejection in Alternatives Considered (single source of truth, .cabal fixed at upload) - Add Drawbacks and Risks, Needs Assessment/Open Questions sections - Add People and Time placeholders; update Problem Statement and Success
|
Thanks for your feed-backs, I fully agree, I have narrowed down the proposal. |
It's not a limited proposal, I hope some discussion will take place around our needs and blind spots we may have.
edit: rendered https://github.com/blackheaven/tech-proposals/blob/0e8cd229e88614162db565cc07350ecda55d182e/proposals/0000-haskell-security-tooling-integrations.md