offer API to request security advisories
MangoIV opened this issue · 14 comments
Summary
it would be nice if we could serve an api that gives back the advisories that is continuously deployed; currently the only way is cloning the repo or parsing the html of the website; neither is immensely efficient
I will work on a library for that since other consummers (e.g. hackage/flora) will need such a mechanism
if you want to create the API I can do the server, if you want or vice versa...
Thanks, don't worry, I'll pack it into a library.
Where’s this hosted?
I think this was closed by mistake.
@frasertweedale i unfortunately cannot reopen, would you do that for me? Thanks in advance!
Perfect, thank you! ❤️
Actually I think it was fix with hsec-sync, but maybe I did not understood the problem correctly.
Do you need a way to have a synchronized local copy, or a list of the published advisories?
well; it would be good if we wouldn't require a user to git clone the repository but instead be able to just send a request to some API which can
- give you an update on an advisory, given its ID
- give you all of the advisories, independent of the repo
If you wish, I can build this, I have become very swift at building servant servers ;)
I see, yes, hsec-sync is currently not the best way to achieve that.
On another hand I'm quite worried about this approach for project check as it would end-up with a lot of back-and-forth with the server, moreover I'm reluctant to have the HF host a service (any managed static file hosting would be better).
I think it's better to:
- Ensure to have a local copy
- Query against it
I plan to tackle an archive format (without git, #170), tomorrow and/or on Monday, so it will remove a dependency.
On another hand I'm quite worried about this approach for project check as it would end-up with a lot of back-and-forth with the server, moreover I'm reluctant to have the HF host a service (any managed static file hosting would be better).
can you elaborate on that? I don’t understand why it would require a lot of back and forth.
I think it’s fair if the HF doesn’t want to host something like that, especially given that we’d probably have to think about the trust model of something like that but I would at least strive to get something like that.
can you elaborate on that? I don’t understand why it would require a lot of back and forth.
I mean, each time a cabal audit would be triggered may requests (or a big one) would be sent to the server, which will put a lot of pressure with hard-to-cache queries.
I think it’s fair if the HF doesn’t want to host something like that, especially given that we’d probably have to think about the trust model of something like that but I would at least strive to get something like that.
I speak only for myself, but running a service that sensitive does not seem to be a good idea.
It would take more effort to run it ourselves rather than using a static hosting solution (we would have a better availability and it would be easier to secure, not to mention distribution with CDNs).
@blackheaven I think the ask here is an API for submitting new advisories to the database. For example, it could create a pull request that the SRT can then review and merge (or not).
I don't think this is about an API for querying the advisory DB.
edit no, I read the description more carefully, I think the ask is what Gautier thought it was.
In which case I pretty much agree - I don't think hosting an API for querying data is a priority for us. Rather, an archive format and a single artifact hosted somewhere is what we are aiming for, currently.
I mean I’d be fine with single artifact. But if that’s planned anyway, I think I can close this.