Open hasufell opened 11 months ago
TristanCacqueray
commented
11 months ago The policy is documented here: https://github.com/haskell/security-advisories/blob/main/PROCESS.md#extent-of-disclosure . It looks like we are missing a point of contact for GHCup.
blackheaven
commented
11 months ago Actually we have it (Mihai have sent an e-mail on July 17th with it).
The thing is, we do not have a secure place to store this kind of information, a private wiki or something should be set up.
hasufell
commented
11 months ago It looks like we are missing a point of contact for GHCup.
my email is in my github profile
blackheaven
commented
11 months ago @hasufell if you lack of time, I can see if if I can handle it this Saturday, if you can give me the hints/links.
mihaimaruseac
commented
11 months ago This is on me too, I was not around when the release was done so I missed sending notifications to upstream. In future we'll probably need to add a synchronization step just before release to make sure this doesn't occur again
hasufell
commented
11 months ago I have backported and built my own bindists: https://github.com/haskell/ghcup-metadata/pull/158
Does anyone have an idea whether cabal developers created a regression test for this? I couldn't get information on that so far.
https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md
Has been disclosed without giving heads up to distributors (such as GHCup). Now GHCup is recommending a vulnerable version.
We can't recommend the latest cabal, because it has major regressions.
This makes us look bad. I need time to do a backport.