Call for volunteer(s) for Guix "security" web page

Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1276 bytes --]

Hello!

GNU Guix should make it easier for bug reporters to contact us to report
issues in Guix and Guix packages.

So, we'd like to add a short "Security" page to our web site [0]. This
page should:

1) Explain how to contact us privately about security issues [1],

2) Describe the Guix release signing key [2],

3) And include a link to the security updates section of the manual [3].

The page should be clear and concise. The main objectives are to make it
easy for bug reporters to learn how to contact us, and to make it easy
for anyone to know which key is used to sign our downloads.

Does anyone volunteer to make this page?

I like this example, although it does some things we don't plan to do at
this time, such as provide a key for securely contacting the project,
and explain how to use GnuPG:

https://syncthing.net/security.html

[0] Our web site is maintained in guix-artwork.git:
git://git.savannah.gnu.org/guix/guix-artwork.git

[1] Private communication should go to <guix-security@gnu.org>
https://lists.gnu.org/mailman/listinfo/guix-security

[2] The key should be described by the key fingerprint.
https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html

[3]
https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Call for volunteer(s) for Guix "security" web page

[ng0]

Hi,

I think this is a good idea, thanks for bringing this up.

Leo Famulari <leo@famulari.name> writes:

> Hello!
>
> GNU Guix should make it easier for bug reporters to contact us to report
> issues in Guix and Guix packages.
>
> So, we'd like to add a short "Security" page to our web site [0]. This
> page should:

I think we (you?) should post this (not cross post / CC) to other lists
as well, to gain some more attraction.

> 1) Explain how to contact us privately about security issues [1],
>
> 2) Describe the Guix release signing key [2],
>
> 3) And include a link to the security updates section of the manual [3].
>
> The page should be clear and concise. The main objectives are to make it
> easy for bug reporters to learn how to contact us, and to make it easy
> for anyone to know which key is used to sign our downloads.

In my opinion this could be extended later by something similar to
https://security.gentoo.org/ and its subpages.
As we don't have much on that topic currently, we can't write about
it. If this would be too much for the website, an inclusion in the
manual of which security measurements a vanilla Guix offers would be
good.
One example: I stumbled upon our /dev/mem configuration only when I
wanted to use flashrom for internal flashing. This is not documented
anywhere.

> Does anyone volunteer to make this page?
>
> I like this example, although it does some things we don't plan to do at
> this time, such as provide a key for securely contacting the project,
> and explain how to use GnuPG:
>
> https://syncthing.net/security.html
>
> [0] Our web site is maintained in guix-artwork.git:
> git://git.savannah.gnu.org/guix/guix-artwork.git
>
> [1] Private communication should go to <guix-security@gnu.org>
> https://lists.gnu.org/mailman/listinfo/guix-security
>
> [2] The key should be described by the key fingerprint.
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
>
> [3]
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

-- 
              ng0

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 787 bytes --]

On Fri, Sep 16, 2016 at 12:14:58PM -0400, Leo Famulari wrote:
> Hello!
> 
> GNU Guix should make it easier for bug reporters to contact us to report
> issues in Guix and Guix packages.
> 
> So, we'd like to add a short "Security" page to our web site [0]. This
> page should:
> 
> 1) Explain how to contact us privately about security issues [1],
> 
> 2) Describe the Guix release signing key [2],
> 
> 3) And include a link to the security updates section of the manual [3].

I've attached my first draft of this page. This patch is for
guix-artwork.git.

Please give me your feedback.

I'm specifically unsure of what to say about the signing key. Should we
recommend that users get it from a certain place? Should we provide the
public key itself on this page?

[-- Attachment #1.2: 0001-www-security-New-page.patch --]
[-- Type: text/plain, Size: 4510 bytes --]

From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 25 Sep 2016 18:43:28 -0400
Subject: [PATCH] www: security: New page.

* website/www/security.scm: New file.
* website/www.scm (%web-pages): Add security-page.
* website/www/shared.scm (html-page-links): Add "Security".
---
 website/www.scm          |  2 ++
 website/www/security.scm | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
 website/www/shared.scm   |  1 +
 3 files changed, 52 insertions(+)
 create mode 100644 website/www/security.scm

diff --git a/website/www.scm b/website/www.scm
index f0465eb..244830b 100644
--- a/website/www.scm
+++ b/website/www.scm
@@ -28,6 +28,7 @@
   #:use-module (www about)
   #:use-module (www contribute)
   #:use-module (www help)
+  #:use-module (www security)
   #:use-module (sxml simple)
   #:use-module (sxml match)
   #:use-module (web client)
@@ -335,6 +336,7 @@ Distribution.")
     ("donate/index.html" ,donate-page)
     ("download/index.html" ,download-page)
     ("help/index.html" ,help-page)
+    ("security/index.html" ,security-page)
     ;; ("packages/index.html" ,packages-page) ; Need Guix
     ;; ("packages/issues.html" ,issues-page)
     ))
diff --git a/website/www/security.scm b/website/www/security.scm
new file mode 100644
index 0000000..09e9748
--- /dev/null
+++ b/website/www/security.scm
@@ -0,0 +1,49 @@
+;;; GuixSD website --- GNU's advanced distro website
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;;
+;;; This file is part of GuixSD website.
+;;;
+;;; GuixSD website is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU Affero General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GuixSD website is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU Affero General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU Affero General Public License
+;;; along with GuixSD website.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (www security)
+  #:use-module (www utils)
+  #:use-module (www shared)
+  #:export (security-page))
+
+(define (security-page)
+  `(html (@ (lang "en"))
+         ,(html-page-header "Security")
+         ,(html-page-links)
+         (div (@ (id "content-box"))
+              (article
+               (h1 "Security")
+               (h2 "How to report security issues")
+               (p "To report sensitive security issues in Guix itself or the packages it "
+                  "provides, you can write to the private mailing list "
+                  (a (@ (href "https://lists.gnu.org/mailman/listinfo/guix-security"))
+                     ("guix-security@gnu.org"))
+                     ".  This list is monitored by a small team of Guix "
+                     "developers.")
+               (h2 "Release signatures")
+               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
+                  "key with the fingerprint "
+                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
+                  "This key can be obtained from XXX.")
+               (h2 "Security updates")
+               (p "When security vulnerabilities are found in Guix or the "
+                  "packages provided by Guix, we will provide "
+                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
+                     "security updates")
+                  " quickly and with minimal disruption for users.")
+               ,(html-page-footer)))))
diff --git a/website/www/shared.scm b/website/www/shared.scm
index ed864ef..04be0f4 100644
--- a/website/www/shared.scm
+++ b/website/www/shared.scm
@@ -88,6 +88,7 @@ Functional package management,")))
 	    ;; Note: valid only if `packages-page' is exported.
 	    (li (a (@ (href ,(base-url "packages"))) "Packages"))
 	    (li (a (@ (href ,(base-url "help"))) "Help"))
+	    (li (a (@ (href ,(base-url "security"))) "Security"))
 	    (li (a (@ (href ,(base-url "contribute"))) "Contribute"))
 	    (li (a (@ (href ,(base-url "donate"))) "Donate"))
 	    (li (a (@ (href ,(base-url "about"))) "About")))))
-- 
2.10.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Call for volunteer(s) for Guix "security" web page

[Ludovic Courtès]

Hi Leo,

Thanks a lot both for sending the call and replying to it!  :-)

> From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Sun, 25 Sep 2016 18:43:28 -0400
> Subject: [PATCH] www: security: New page.
>
> * website/www/security.scm: New file.
> * website/www.scm (%web-pages): Add security-page.
> * website/www/shared.scm (html-page-links): Add "Security".

[...]

> +               (h2 "How to report security issues")
> +               (p "To report sensitive security issues in Guix itself or the packages it "
> +                  "provides, you can write to the private mailing list "
> +                  (a (@ (href "https://lists.gnu.org/mailman/listinfo/guix-security"))
> +                     ("guix-security@gnu.org"))
> +                     ".  This list is monitored by a small team of Guix "
> +                     "developers.")
> +               (h2 "Release signatures")
> +               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
> +                  "key with the fingerprint "
> +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> +                  "This key can be obtained from XXX.")

Maybe link to
<https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html>
or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
command that uses the full fingerprint instead of just the 64-bit ID
(which is still too small, some say.)

> +               (h2 "Security updates")
> +               (p "When security vulnerabilities are found in Guix or the "
> +                  "packages provided by Guix, we will provide "
> +                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
> +                     "security updates")
> +                  " quickly and with minimal disruption for users.")

Maybe also that Guix is a “rolling release”, so there’s currently no
separate security-fix branch and all critical fixes go to master?

I guess you can already commit that!

I wonder if it would make sense to add a note on reproducible builds,
‘guix challenge’ and all that; later maybe!

Note that you’ll then need to commit the resulting HTML to CVS(!) to
that the update pages show up, as per the instructions available on the
Savannah project page.  If you’re unsure or anything, I can do that.

Thank you!

Ludo’.

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

On Thu, Sep 22, 2016 at 10:04:37AM +0000, ng0 wrote:
> In my opinion this could be extended later by something similar to
> https://security.gentoo.org/ and its subpages.
> As we don't have much on that topic currently, we can't write about
> it. If this would be too much for the website, an inclusion in the
> manual of which security measurements a vanilla Guix offers would be
> good.
> One example: I stumbled upon our /dev/mem configuration only when I
> wanted to use flashrom for internal flashing. This is not documented
> anywhere.

It's a good idea, but of course somebody needs to actually do the work
:)

My primary goal for this page right now is to make it easy to for anyone
to learn how to contact us about security issues. I'm hoping this page
is the first result on DuckDuckGo and Google for "guix security".

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 805 bytes --]

On Tue, Sep 27, 2016 at 10:58:09AM +0200, Ludovic Courtès wrote:
> > +               (h2 "Release signatures")
> > +               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
> > +                  "key with the fingerprint "
> > +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> > +                  "This key can be obtained from XXX.")
> 
> Maybe link to
> <https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html>
> or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
> command that uses the full fingerprint instead of just the 64-bit ID
> (which is still too small, some say.)

Here's a patch that uses the fingerprint in guix.texi. What do you
think? Also, please verify that I've got it right :)

[-- Attachment #1.2: 0001-doc-Give-the-full-key-fingerprint-instead-of-the-lon.patch --]
[-- Type: text/plain, Size: 847 bytes --]

From 64b1df0a9565154ac2a1bd5289a13572b00bb5e0 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 27 Sep 2016 14:12:02 -0400
Subject: [PATCH] doc: Give the full key fingerprint instead of the long key
 ID.

* doc/guix.texi (OPENPGP-SIGNING-KEY-ID): Use fingerprint instead of
long key ID.
---
 doc/guix.texi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c159e12..239428a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10,7 +10,7 @@
 @include version.texi
 
 @c Identifier of the OpenPGP key used to sign tarballs and such.
-@set OPENPGP-SIGNING-KEY-ID 090B11993D9AEBB5
+@set OPENPGP-SIGNING-KEY-ID 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
 
 @copying
 Copyright @copyright{} 2012, 2013, 2014, 2015, 2016 Ludovic Courtès@*
-- 
2.10.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 1746 bytes --]

On Tue, Sep 27, 2016 at 10:58:09AM +0200, Ludovic Courtès wrote:
> > +               (h2 "Release signatures")
> > +               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
> > +                  "key with the fingerprint "
> > +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> > +                  "This key can be obtained from XXX.")
> 
> Maybe link to
> <https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html>
> or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
> command that uses the full fingerprint instead of just the 64-bit ID
> (which is still too small, some say.)
> 
> > +               (h2 "Security updates")
> > +               (p "When security vulnerabilities are found in Guix or the "
> > +                  "packages provided by Guix, we will provide "
> > +                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
> > +                     "security updates")
> > +                  " quickly and with minimal disruption for users.")
> 
> Maybe also that Guix is a “rolling release”, so there’s currently no
> separate security-fix branch and all critical fixes go to master?

I tried to implement these suggestion in the attached patch.

> I wonder if it would make sense to add a note on reproducible builds,
> ‘guix challenge’ and all that; later maybe!

Yes, later. Volunteers still welcome :)

> Note that you’ll then need to commit the resulting HTML to CVS(!) to
> that the update pages show up, as per the instructions available on the
> Savannah project page.  If you’re unsure or anything, I can do that.

I'll try it if this new patch is okay.

[-- Attachment #1.2: 0001-www-security-New-page.patch --]
[-- Type: text/plain, Size: 4926 bytes --]

From eeff071ec9fbe527a97e2c7487e79e4b843916a1 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 25 Sep 2016 18:43:28 -0400
Subject: [PATCH] www: security: New page.

* website/www/security.scm: New file.
* website/www.scm (%web-pages): Add security-page.
* website/www/shared.scm (html-page-links): Add "Security".
---
 website/www.scm          |  2 ++
 website/www/security.scm | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
 website/www/shared.scm   |  1 +
 3 files changed, 58 insertions(+)
 create mode 100644 website/www/security.scm

diff --git a/website/www.scm b/website/www.scm
index f0465eb..244830b 100644
--- a/website/www.scm
+++ b/website/www.scm
@@ -28,6 +28,7 @@
   #:use-module (www about)
   #:use-module (www contribute)
   #:use-module (www help)
+  #:use-module (www security)
   #:use-module (sxml simple)
   #:use-module (sxml match)
   #:use-module (web client)
@@ -335,6 +336,7 @@ Distribution.")
     ("donate/index.html" ,donate-page)
     ("download/index.html" ,download-page)
     ("help/index.html" ,help-page)
+    ("security/index.html" ,security-page)
     ;; ("packages/index.html" ,packages-page) ; Need Guix
     ;; ("packages/issues.html" ,issues-page)
     ))
diff --git a/website/www/security.scm b/website/www/security.scm
new file mode 100644
index 0000000..efe8315
--- /dev/null
+++ b/website/www/security.scm
@@ -0,0 +1,55 @@
+;;; GuixSD website --- GNU's advanced distro website
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;;
+;;; This file is part of GuixSD website.
+;;;
+;;; GuixSD website is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU Affero General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GuixSD website is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU Affero General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU Affero General Public License
+;;; along with GuixSD website.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (www security)
+  #:use-module (www utils)
+  #:use-module (www shared)
+  #:export (security-page))
+
+(define (security-page)
+  `(html (@ (lang "en"))
+         ,(html-page-header "Security")
+         ,(html-page-links)
+         (div (@ (id "content-box"))
+              (article
+               (h1 "Security")
+               (h2 "How to report security issues")
+               (p "To report sensitive security issues in Guix itself or the packages it "
+                  "provides, you can write to the private mailing list "
+                  (a (@ (href "https://lists.gnu.org/mailman/listinfo/guix-security"))
+                     ("guix-security@gnu.org"))
+                     ".  This list is monitored by a small team of Guix "
+                     "developers.")
+               (h2 "Release signatures")
+               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
+                  "key with the fingerprint "
+                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
+                  "Users should "
+                  (a (@ (href ,(base-url "manual/html_node/Binary-Installation.html")))
+                     "verify")
+                  " their downloads before extracting or running them.")
+               (h2 "Security updates")
+               (p "When security vulnerabilities are found in Guix or the "
+                  "packages provided by Guix, we will provide "
+                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
+                     "security updates")
+                  " quickly and with minimal disruption for users.")
+               (p "Guix uses a \"rolling release\" model.  All security "
+                  "bug-fixes are pushed directly to the master branch.  There"
+                  " is no \"stable\" branch that only receives security fixes.")
+               ,(html-page-footer)))))
diff --git a/website/www/shared.scm b/website/www/shared.scm
index ed864ef..04be0f4 100644
--- a/website/www/shared.scm
+++ b/website/www/shared.scm
@@ -88,6 +88,7 @@ Functional package management,")))
 	    ;; Note: valid only if `packages-page' is exported.
 	    (li (a (@ (href ,(base-url "packages"))) "Packages"))
 	    (li (a (@ (href ,(base-url "help"))) "Help"))
+	    (li (a (@ (href ,(base-url "security"))) "Security"))
 	    (li (a (@ (href ,(base-url "contribute"))) "Contribute"))
 	    (li (a (@ (href ,(base-url "donate"))) "Donate"))
 	    (li (a (@ (href ,(base-url "about"))) "About")))))
-- 
2.10.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Call for volunteer(s) for Guix "security" web page

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Sep 27, 2016 at 10:58:09AM +0200, Ludovic Courtès wrote:
> From eeff071ec9fbe527a97e2c7487e79e4b843916a1 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Sun, 25 Sep 2016 18:43:28 -0400
> Subject: [PATCH] www: security: New page.
>
> * website/www/security.scm: New file.
> * website/www.scm (%web-pages): Add security-page.
> * website/www/shared.scm (html-page-links): Add "Security".

Very good, go ahead!  :-)

Thank you!

Ludo’.

Re: Call for volunteer(s) for Guix "security" web page

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> From 64b1df0a9565154ac2a1bd5289a13572b00bb5e0 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Tue, 27 Sep 2016 14:12:02 -0400
> Subject: [PATCH] doc: Give the full key fingerprint instead of the long key
>  ID.
>
> * doc/guix.texi (OPENPGP-SIGNING-KEY-ID): Use fingerprint instead of
> long key ID.

OK, thanks!

Ludo'.

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1019 bytes --]

On Tue, Sep 27, 2016 at 02:26:53PM -0400, Leo Famulari wrote:
> > Note that you’ll then need to commit the resulting HTML to CVS(!) to
> > that the update pages show up, as per the instructions available on the
> > Savannah project page.  If you’re unsure or anything, I can do that.
> 
> I'll try it if this new patch is okay.

I read some parts of the CVS manual [0].

I checked out the CVS repo over SSH as directed by Savannah. Then, I
copied all the new and changed files created by (export-web-site) in to
the CVS tree.

I want some reassurance that I'm doing the right thing before I do it :)

My plan:

$ cvs add security # The manual says that `cvs add` is not recursive.
$ cvs add security/index.html
$ cvs commit # I think this will commit all changes in tracked files.

Does that look right?

[0] For some reason nongnu.org/cvs directs users to archive.org for the
manual...
https://web.archive.org/web/20130202033128/http://ximbiot.com/cvs/manual/cvs-1.12.13/cvs_7.html#SEC68

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Call for volunteer(s) for Guix "security" web page

[Ludovic Courtès]

Hey Leo,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Sep 27, 2016 at 02:26:53PM -0400, Leo Famulari wrote:
>> > Note that you’ll then need to commit the resulting HTML to CVS(!) to
>> > that the update pages show up, as per the instructions available on the
>> > Savannah project page.  If you’re unsure or anything, I can do that.
>> 
>> I'll try it if this new patch is okay.
>
> I read some parts of the CVS manual [0].
>
> I checked out the CVS repo over SSH as directed by Savannah. Then, I
> copied all the new and changed files created by (export-web-site) in to
> the CVS tree.
>
> I want some reassurance that I'm doing the right thing before I do it :)
>
> My plan:
>
> $ cvs add security # The manual says that `cvs add` is not recursive.
> $ cvs add security/index.html
> $ cvs commit # I think this will commit all changes in tracked files.
>
> Does that look right?

Right!

In the meantime, I did it myself as I was pushing other changes.  Sorry
for stepping on your toes but hey! now you’re all set for next time!
:-)

Thanks,
Ludo’.

Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

On Fri, Sep 30, 2016 at 02:08:36PM +0200, Ludovic Courtès wrote:
> Hey Leo,
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Tue, Sep 27, 2016 at 02:26:53PM -0400, Leo Famulari wrote:
> >> > Note that you’ll then need to commit the resulting HTML to CVS(!) to
> >> > that the update pages show up, as per the instructions available on the
> >> > Savannah project page.  If you’re unsure or anything, I can do that.
> >> 
> >> I'll try it if this new patch is okay.
> >
> > I read some parts of the CVS manual [0].
> >
> > I checked out the CVS repo over SSH as directed by Savannah. Then, I
> > copied all the new and changed files created by (export-web-site) in to
> > the CVS tree.
> >
> > I want some reassurance that I'm doing the right thing before I do it :)
> >
> > My plan:
> >
> > $ cvs add security # The manual says that `cvs add` is not recursive.
> > $ cvs add security/index.html
> > $ cvs commit # I think this will commit all changes in tracked files.
> >
> > Does that look right?
> 
> Right!
> 
> In the meantime, I did it myself as I was pushing other changes.  Sorry
> for stepping on your toes but hey! now you’re all set for next time!
> :-)

Thank you :)