On Wed, Aug 21, 2019 at 1:29 PM Sam Ruby <ru...@intertwingly.net> wrote:
> On Wed, Aug 21, 2019 at 6:55 AM Mark J. Cox <m...@apache.org> wrote: > > > > > Many of the files have very long lines, so will be difficult to > maintain. > > > > The Vulnogram tool is a nodejs app and the standalone files are > generated using a nodejs script. I was intending to just check in the > compiled files for now. > > Long term, I don't think checking in the compiled files the right solution. > However I don't really expect much change to this tool once it's stable -- perhaps when the CVE automation WG get JSON submission of CVE requests working we'd update it. > Perhaps we can discuss the right long term solution, then work > backwards from there? > > One possibility is for the security team to request a VM (perhaps > security.apache.org or perhaps cve.apache.org?). I believe that it > could be spun up within an hour. > Medium term I was expecting to checkin the scripts that could build the static pages too (even if whimsy doesn't actually run them), but I'm working with the Vulnogram author so we can try to separate out the ASF specific changes into something that means we're running clean upstream Vulnogram with just a custom configuration. We did used to have a VM, but It just seems like a bit of overkill for hosting a few static files that we really want to be used as a committers tool. Note that everything is done 'in browser', the tool is not intended to store anything and any projects using it in advance with embargoed security info nothing gets transmitted (except eventually to Mitre once the submission stuff is written) Mark
