[Feature Request] Alternative repository for security-advisories

[rockandska]

Hi,

I think than the possibility to change the security-advisories repository will permit us to satisfy the requirements to have CI runner without internet connection and will solve the need to have security-checker self hosted

What is your opinion on it ?

[Ocramius]

Kind of useless: you WANT it to be always online, since security advisories are published on the web. Synchronization processes just add complexity and failures.

On 23 Oct 2017 13:05, "rockandska" notifications@github.com wrote:

Hi,

I think than the possibility to change the security-advisories repository will permit us to satisfy the requirements to have CI runner without internet connection and will solve the need to have security-checker self hosted https://github.com/sensiolabs/security-checker/issues/99

What is your opinion on it ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Roave/SecurityAdvisories/issues/37, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakNtfxbkDXS3_f8wtbNVHdfzjFnhMks5svHMRgaJpZM4QCqav .

[rockandska]

It is not useless at all....

The sensiolabs security check is the only service used by the developers inside my company who can't be self hosted at this moment and only asked a little tweak to be able to use a private repository....

Who say that the workflow / architecture will be the one you describe and is the only way to go ?

Why is it useful ?

To be able to have all dependencies in a private network and be able to reproduce builds without external dependencies who can disappear on internet....

How to achieve this ? (just for the exemple) : 1 gateway (pfsense) , 2 networks on 2 distinct NIC. LAN1 network has output access to WAN, LAN2 network has access only to the LAN1 LAN1 is used to clone repository automatically ( gitea, gogs, gtilab ee, etc..), docker registry etc.. LAN2 is used by some CI Runners and use the private "security-advisories" repository (mirrored every X hours by gogs etc..)

Sorry, I don't really see complexity but only sanity in this architecture....

Regards,

[Ocramius]

For what you described above, all you need is buying and hosting private packagist (a product from the same developers of composer): no addition needed in this library, it would work out of the box.

On 23 Oct 2017 20:44, "rockandska" notifications@github.com wrote:

It is not useless at all....

The sensiolabs security check is the only service used by the developers inside my company who can't be self hosted at this moment and only asked a little tweak to be able to use a private repository....

Who say that the workflow / architecture will be the one you describe and is the only way to go ?

Why is it useful ?

To be able to have all dependencies in a private network and be able to reproduce builds without external dependencies who can disappear on internet....

How to achieve this ? (just for the exemple) : 1 gateway (pfsense) , 2 networks on 2 distinct NIC. LAN1 network has output access to WAN, LAN1 network has access only to the LAN1 LAN1 is used to clone repository automatically ( gitea, gogs, gtilab ee, etc..), docker registry etc.. LAN2 is used by some CI Runners and use the private "security-advisories" repository (mirrored every X hours by gogs etc..)

Sorry, I don't really see complexity but only sanity in this architecture....

Regards,

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Roave/SecurityAdvisories/issues/37#issuecomment-338758059, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakHShfB0VU-YrByz0HWVqPMiSghmSks5svN6fgaJpZM4QCqav .

[paragonie-scott]

Would this request warrant a dedicated documentation page and/or section of the README? (i.e. it would point people towards Private Packagist, which might in turn do some good for the PHP community if more companies that need these use cases pay for it)

[Ocramius]

2 sections of README.md are surely missing:

1. the fact that any packages are included, even from private/forked repos and own satis/packagist instances
2. the fact that this package is generated from https://github.com/Roave/SecurityAdvisoriesBuilder

[Ocramius]

Closing here: if this is still relevant, please directly send a PR with the changes to README.md.