Security page of a certain Nix issue

[RaitoBezarius]

The security page of a certain Nix issue should:

• be accessible via website.tld/$tracking
• informs about the current status: awaiting-mitigation, mitigation-in-progress, mitigated, wontfix on each supported channel.
• list all maintainers, grouped by package
• list all known vulnerabilities
  • grouped by package

For maintainers (or more):

• change status.
• performs any operations: bump the package in that channel (unstable or stable X), add/remove a known vulnerability as a new PR.

For security team:

• admin access.

[fricklerhandwerk]

We could use https://github.com/etianen/django-reversion for the activity log.

[RaitoBezarius]

That might be overkill because it will store the whole NixIssue information rather than just an activity log of "has changed X to Y", "has added X", etc.
But I guess that's an option.

[fricklerhandwerk]

Django-reversion stores the versions of a model as JSON. If a model changes, the migrations are not applied to the stored JSON data. Therefore it can happen that an old version can no longer be restored.

-- common problems

Ew, okay. Nope.

There's also https://github.com/Opus10/django-pghistory, but that's bound to Postgres.

I generally like how https://github.com/jazzband/django-simple-history works, but one has to be extra careful to layout the data in a way that one doesn't store large rows on every little movement.

[RaitoBezarius]

We don't really care about being bound to PostgreSQL.

[alejandrosame]

Check #101 for the activity log setup. As the commit message says, for now it tracks all changes to NixpkgsIssue model, but it's trivial to add per-field tracking once the model has stabilized.

[fricklerhandwerk]

Superseded by #1