unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* GNU30 Security Hackathon
@ 2013-09-11 13:16 hellekin
  2013-09-11 13:38 ` Jordi Gutiérrez Hermoso
  2013-09-12 12:39 ` Ludovic Courtès
  0 siblings, 2 replies; 3+ messages in thread
From: hellekin @ 2013-09-11 13:16 UTC (permalink / raw)
  To: Guix, Josh King, JordiGH; +Cc: Zak Rogoff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

your project is part of the selection for the GNU30 hackathon listed
at http://www.gnu.org/gnu30/celebration

In the course of the anniversary, there's a security conference in
Buenos Aires, called Ekoparty, and I'm willing to organize a GNU
security hackathon there. [0]

Here is how it's supposed to work. Security hackers will be invited to
do one of the following things:

(1) Report zeroday vulnerabilities
(2) Fix security or privacy bugs
(3) Create, or give away security tools to the GNU project

My objective with this email is to gather a list of suggestions as to
where to put the effort on your various projects, in order to make it
more convenient for them to choose. I'm willing to gather
security-related bugs that they can look into and fix over a period of
3 days (obviously not full time), or ideas for useful tools related to
privacy or security.

Any suggestion welcome! Feel free to share this message in full or in
parts with your fellow hackers. The sooner I get answers, and the
better the participants can get ready and explore possibilities.

Regards, and happy hacking!

==
hk

[0] http://ekoparty.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCgAGBQJSMG0dAAoJEEgGw2P8GJg9rggP/0Gq5yQi61mz3/YiRYcEKzT0
geFlgVukY8IHA+CJkz3XkX8GcHBplCSxiRgRwCIwdfkamWWonzlU10sL2E9qfOcT
9lkmXHbUexh8YuJGGoTDqPbsuISCxfP7gtfPwvZGXtuf1jMQE75mrV1/qrcYZztt
LmDF6USqYZEDB7QKF82uVyYNuJuvmuhByXgCTsJp5Ac+vfsrsLAC+D+LmhNxoTOk
6fZghCUcglFWbMaMNbIudb0L+b43Zbhp7Cc9ZxDwb4xjeSUkHNbSg+YIDVac0/Hh
ac1UMAUuRMkFvPpWUPvvfh5Sp2YHF4jomVJn4jd+bKoOwIAiDn311KA4g6a7pkjz
XyTCxG6noyM3o5QmuHOpr5EBzM1qfqm2uzYoGmUz4OWrzdUixOuNz5y6AVrLvHiG
fA8jBveMrIwd1izohMpjnjXkfsn1dMt0qRdpyqEjjx8nnk1V7Ahw1auRdatSsDG7
DdAXrjG/8q1jCOH6GAgfElFPacQa0/Ms9v0DGXMkVU82SzCLmj4DhaX77ufSYF9T
5qCoskECq+0Ha8/Go278BKzM3S1DeRQHQfc3LNQyAccQzhz/6/YZycZ5FUfSiXLg
/WWYuxTD8wmLluQMShOVZzP8O9uukwRjIOQ34RRehn/FG1dQRmMH7rTtsRo4ag8h
HK7o2h1kEziCg7lsDGwZ
=yfnR
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: GNU30 Security Hackathon
  2013-09-11 13:16 GNU30 Security Hackathon hellekin
@ 2013-09-11 13:38 ` Jordi Gutiérrez Hermoso
  2013-09-12 12:39 ` Ludovic Courtès
  1 sibling, 0 replies; 3+ messages in thread
From: Jordi Gutiérrez Hermoso @ 2013-09-11 13:38 UTC (permalink / raw)
  To: hellekin; +Cc: Guix, Zak Rogoff, Josh King

On Wed, 2013-09-11 at 10:16 -0300, hellekin wrote:

> your project is part of the selection for the GNU30 hackathon listed
> at http://www.gnu.org/gnu30/celebration

Oh. This doesn't sound like sensitive material at all. May I forward
it to our public dev list?

- Jordi G. H.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: GNU30 Security Hackathon
  2013-09-11 13:16 GNU30 Security Hackathon hellekin
  2013-09-11 13:38 ` Jordi Gutiérrez Hermoso
@ 2013-09-12 12:39 ` Ludovic Courtès
  1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2013-09-12 12:39 UTC (permalink / raw)
  To: hellekin; +Cc: Guix, JordiGH, Zak Rogoff, Josh King

[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]

Hello,

hellekin <hellekin@gnu.org> skribis:

> My objective with this email is to gather a list of suggestions as to
> where to put the effort on your various projects, in order to make it
> more convenient for them to choose. I'm willing to gather
> security-related bugs that they can look into and fix over a period of
> 3 days (obviously not full time), or ideas for useful tools related to
> privacy or security.

This sounds like a great initiative.

For Guix, a bug that we have is that pre-built binaries downloaded from
hydra.gnu.org are not cryptographically signed.  Note that, unlike most
other distros, binaries are not uploaded manually by the package
maintainer; instead, the build farm at hydra.gnu.org just builds all the
packages using recipes from the Guix repo, and publishes the binaries
over HTTP.

So the fix is twofold: first Hydra (the software behind hydra.gnu.org)
needs to be modified to produce and publish digital signatures; second
Guix’s “substituter” (the program that fetches pre-built binaries) needs
to actually fetch those signatures and check against them.

Ways to do it have been discussed before:

  http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html
  http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html

I think the task could fit the kind of hackathon you describe.
Technically Hydra is written in Perl, and Guix is written in Scheme.
Guix is a GNU package; Hydra is not, and Guix is not its only user.

It’s unlikely that Guix hackers will be physically present, but
hopefully you can find someone on #guix on Freenode!

Thanks,
Ludo’.

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-09-12 12:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-11 13:16 GNU30 Security Hackathon hellekin
2013-09-11 13:38 ` Jordi Gutiérrez Hermoso
2013-09-12 12:39 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).