Advisory data: tombstone events for withdrawn packages #576
Labels
enhancement
New feature or request
needs-triage
applied to all new customer/user issues. Removed after triage occurs.
Context
We recently added some much needed validation of our advisory data into wolfictl, which is used as a CI check in our advisories repos. The validation rules relevant to this proposal are:
Rules 1 and 2 are checked across all data in the advisories repo. Rule 3 is a function of what was changed in the current PR (relative to the designated fork point).
Meanwhile... we also withdraw packages (i.e. specific APK files) from the distro from time to time.
This results in an unpleasant side effect where: a new fixed event can be added that's valid because the package version exists, then the package version is withdrawn, and then validation runs again and fails.
Proposal
(Credit to @jonjohnsonjr for this idea 🧠 )
To allow our advisory data entry workflow to satisfy our validation checks, continue with our transparent "append only" philosophy, and account for withdrawn packages, we could create a new event type to act as a tombstone entry, which says that a previously referenced fixed version no longer exists.
The impact on downstream data transformation, and on the secdb in particular, would be that we no longer report that fixed version for the advisory — the fixed information is effectively reverted to its state prior to the original fixed event.
We would update our validation rules such that:
It would also be great to have the dev tooling and automation help us, such as by automatically adding tombstone events as needed at time of package withdrawal.
The text was updated successfully, but these errors were encountered: