HSRT next projects

A bit more than 3 years ago, I have joined the HSRT, initially for 6 months to 1 year.

The team was built with people with various expertises; mine was to work on security tools around the advisory database.

We have two missions: coordinate vulnerabilities fix and disclosures, and provide tools.

At the time, security-advisories provide the following libraries/tools:

• hsec-core: Defines the data structures for security advisories and handles their parsing and validation.
• hsec-tools: Provides utility executables for database maintainers, including querying a security advisories database.
• hsec-sync: A tool to synchronize the local advisory cache with the remote database snapshots.
• osv: Implements serialization and deserialization for the OSV format.
• cvss: Implements scoring and parsing for the Common Vulnerability Scoring System.
• purl: Handles Package URL parsing and generation, which uniquely identifies package names and versions.

Until then, I had carefully avoided large-scale changes on other components, focusing on what I can have a direct impact on.

Most of our tooling goals are achieved, now, we have to integrate it across the ecosystem, which led to a first tech proposal:

• Haskell security tooling integrations

My goal is to start a broad discussion, assess that our vision still fits community needs, and detect blind spots we have.

On another hand, I think it is important to be proactive when it comes to security.

Today, most of the vulnerability reports we receive are about hackage-server and are related to associated tools (haddock, Cabal, etc.).

An important step would be to start decoupling everything, allowing incremental improvement of each part of the tools-chain.

I have restarted a sub topic of an earlier proposal:

• Decoupling the Haddock Declaration AST from GHC

I did it for two reasons:

• It is a well-scoped change, which, I hope, will be seen as a first step, and not an end goal, which should ease discussions
• It is an isolated extraction, the code directly dealing with the actual AST is only limited to few places

I hope that doing so will start the engine of some upcoming smaller changes with higher impact over time.