unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Bengt Richter <bokr@bokr.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Security related tooling project
Date: Sun, 18 Apr 2021 04:49:30 +0200	[thread overview]
Message-ID: <20210418024930.GA11854@LionPure> (raw)
In-Reply-To: <87lf9hszte.fsf@gnu.org>

Hi,

tl;dr:

Given that crims &co monitor developer discussions to discover
unfixed vulnerabilities and clues re exploiting them,
what are your ideas to avoid building a tool that can be abused?

E.g., How will your tool avoid leaking info during an embargo window
while trusted developers are secretly/privately fixing
critical vulns?

 (pls excuse the top-post)
 --
 
On +2021-04-17 17:20:13 +0200, Ludovic Courtès wrote:
> Hello Chris!
> 
> Christopher Baines <mail@cbaines.net> skribis:
> 
> > In May last year (2020), I submitted an application to NLNet. The work I
> > set out wasn't something I was doing at the time, but something I hadn't
> > yet found time to work on, tooling specifically around security issues.
> >
> > The application got a bit lost, probably somewhat down to email issues
> > on my end. Anyway, things picked up again in February of this year
> > (2021), and this is now something I'm looking to do roughly over the
> > next 8 months.
> 
> I’m late to the party, but I think this is excellent news!  Well done!
> 
> > 1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/
> 
> [...]
> 
> > In terms of looking at security from a project perspective, I'm thinking
> > about these kinds of needs/questions:
> >
> >  - What security issues affect this revision of Guix? (latest or otherwise)
> >
> >  - How do Guix contributors find out about new security issues that
> >    affect Guix revisions they're interested in?
> >
> > From the user perspective, I want to look at things like:
> >
> >  - How do I find out what (if any) security issues affect the software
> >    I'm currently running (through Guix)?
> >
> >  - How can I get notified when a new security issue affects the software
> >    I'm currently running (through Guix)?
> 
> That sounds like a great plan!
> 
> I see several “intermediate” issues that would be super helpful for the
> overall project, such as better CPE matching as Léo suggested and/or
> providing CPE suggestions: <https://issues.guix.gnu.org/42299>.
> 
> I think the Data Service is in a great position to help out
> wrt. monitoring.  I think it’d be nice to architect things in a way that
> services enhance monitoring, but are not required for get proper
> monitoring.  For instance, the proposed ‘guix health’¹ can be
> implemented without relying on intermediate services at all (it still
> needs to rely on the NIST server, of course, but we don’t need extra
> services.)
> 
> Anyhow, it’s awesome to see you work in this area.  Like Chris Marusich
> wrote, Guix is in a good position to address security issues, and you’re
> obviously in a very good position to know what and how to improve the
> state of things in Guix, so all hail!
> 
> Ludo’.
> 
> ¹ https://issues.guix.gnu.org/31442
> 

-- 
Regards,
Bengt Richter


  reply	other threads:[~2021-04-18  2:50 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-03 10:41 Security related tooling project Christopher Baines
2021-04-03 16:13 ` Security related tooling project OFF TOPIC PRAISE Joshua Branson
2021-04-04  8:17   ` Christopher Baines
2021-04-04 13:35     ` Joshua Branson
2021-04-03 21:44 ` Security related tooling project Léo Le Bouter
2021-04-04  8:24   ` Christopher Baines
2021-04-04  5:09 ` Chris Marusich
2021-04-04  8:27   ` Christopher Baines
2021-04-04 10:43     ` Xinglu Chen
2021-04-04 20:32     ` Chris Marusich
2021-04-17 15:20 ` Ludovic Courtès
2021-04-18  2:49   ` Bengt Richter [this message]
2021-04-23 20:34     ` Christopher Baines
2021-04-23 20:32   ` Christopher Baines

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210418024930.GA11854@LionPure \
    --to=bokr@bokr.com \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).