From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YKfEOFmee2BzGgEAgWs5BA (envelope-from ) for ; Sun, 18 Apr 2021 04:50:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id YOJwM1mee2DieQAAbx9fmQ (envelope-from ) for ; Sun, 18 Apr 2021 02:50:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 751BE1CAA0 for ; Sun, 18 Apr 2021 04:50:01 +0200 (CEST) Received: from localhost ([::1]:33340 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXxVY-0005fy-G1 for larch@yhetil.org; Sat, 17 Apr 2021 22:50:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55978) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXxVP-0005fr-Ps for guix-devel@gnu.org; Sat, 17 Apr 2021 22:49:51 -0400 Received: from imta-37.everyone.net ([216.200.145.37]:53984 helo=imta-38.everyone.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXxVK-0006sa-VV; Sat, 17 Apr 2021 22:49:48 -0400 Received: from pps.filterd (localhost.localdomain [127.0.0.1]) by imta-38.everyone.net (8.16.0.43/8.16.0.43) with SMTP id 13I2lGQx008730; Sat, 17 Apr 2021 19:49:40 -0700 X-Eon-Originating-Account: 2k0-IowlDprOCACHmUy8k1iWIYzxoQp9SjqFdWWocYs X-Eon-Dm: m0116293.ppops.net Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 5a81cbb3) id m0116293.60622039.15d30d; Sat, 17 Apr 2021 19:49:39 -0700 X-Eon-Sig: AQMHrIJge55DClU5EQIAAAAD,a33dcdb115c2ef4bf1ee16229e60c04e X-Eip: PRqIg8_Dl95tEY31pRa_6WU-dhlSotIbweghPznSJes Date: Sun, 18 Apr 2021 04:49:30 +0200 From: Bengt Richter To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Security related tooling project Message-ID: <20210418024930.GA11854@LionPure> References: <874kgn4plq.fsf@cbaines.net> <87lf9hszte.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87lf9hszte.fsf@gnu.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-GUID: noT-aPY8eppE_7HLYPO7a3gWH3woCVcg X-Proofpoint-ORIG-GUID: noT-aPY8eppE_7HLYPO7a3gWH3woCVcg X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-17_16:2021-04-16, 2021-04-17 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 adultscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 clxscore=1034 lowpriorityscore=0 mlxlogscore=999 impostorscore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104180019 Received-SPF: pass client-ip=216.200.145.37; envelope-from=bokr@oz.net; helo=imta-38.everyone.net X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618714201; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=1o95QMn472ShhhAPgNXMsEvK7rXtBXIjmE6FvLAeWEE=; b=uP4W5c5X56ad9fi368nff+di7066oJ9hBKFCuB0ClNEqFwAIb8FohMoAFA2vCN7CZl0XKy 7SGxJxZkY7l8YL9SHuULXhx0n40zN3fu9q+Y+9lU6FzMSGxc9DkU3H7E12U//yljGNJDY2 WACT/8RZJC5Wu9VLwrszc90969ZCrGeiFaP/2t9B2G/GCejnCY0fQYwx0/ax8Yam2UNNPY J+mDuCNNVrJyv0t3XoxI2Q/swttUNOUdj2rpF3SpRJq8PzcdXnnyD6mWOWWu35KGHLbVHp Do8ljJ2jS37CVVJAGXiHUAlDzD3a/xRFC7l0YWr5mEhb3qwpdiNUhHUt/xXqAg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618714201; a=rsa-sha256; cv=none; b=nRpHzQe/nhrwBC55jcdhuk2xV9XmEmPI8x4WtIjwEy6u+m4xefY6XRR7mARXdH6je3NXOQ qNQunsEawbwFD0MG5p6Fiax92CaI/MSzqgre7WKPNNFaVY5P8FUYaWQTF4Y2JPxQYsV6F2 ZdZ3D3u3qcNwRwQVzvn6OLYr0oCBZZObjHdJS0KfdD9lO5jjsKF8QWoiGf9f/XZfJFIFnB C6zMblBbq6T6FltMcnS8ngioQRdHcr+Q8VQNJOJ4PlPGDcuwSh1LqM+II8CNC0326zAj69 IQFaCsldLkuK/OYYLvsNz+rc8BvUlXczg5RNSSXeX7HSvYq39mm31eoy11tEtg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.94 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 751BE1CAA0 X-Spam-Score: -1.94 X-Migadu-Scanner: scn0.migadu.com X-TUID: ebYDtnb12Rek Hi, tl;dr: Given that crims &co monitor developer discussions to discover unfixed vulnerabilities and clues re exploiting them, what are your ideas to avoid building a tool that can be abused? E.g., How will your tool avoid leaking info during an embargo window while trusted developers are secretly/privately fixing critical vulns? (pls excuse the top-post) -- On +2021-04-17 17:20:13 +0200, Ludovic Courtès wrote: > Hello Chris! > > Christopher Baines skribis: > > > In May last year (2020), I submitted an application to NLNet. The work I > > set out wasn't something I was doing at the time, but something I hadn't > > yet found time to work on, tooling specifically around security issues. > > > > The application got a bit lost, probably somewhat down to email issues > > on my end. Anyway, things picked up again in February of this year > > (2021), and this is now something I'm looking to do roughly over the > > next 8 months. > > I’m late to the party, but I think this is excellent news! Well done! > > > 1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/ > > [...] > > > In terms of looking at security from a project perspective, I'm thinking > > about these kinds of needs/questions: > > > > - What security issues affect this revision of Guix? (latest or otherwise) > > > > - How do Guix contributors find out about new security issues that > > affect Guix revisions they're interested in? > > > > From the user perspective, I want to look at things like: > > > > - How do I find out what (if any) security issues affect the software > > I'm currently running (through Guix)? > > > > - How can I get notified when a new security issue affects the software > > I'm currently running (through Guix)? > > That sounds like a great plan! > > I see several “intermediate” issues that would be super helpful for the > overall project, such as better CPE matching as Léo suggested and/or > providing CPE suggestions: . > > I think the Data Service is in a great position to help out > wrt. monitoring. I think it’d be nice to architect things in a way that > services enhance monitoring, but are not required for get proper > monitoring. For instance, the proposed ‘guix health’¹ can be > implemented without relying on intermediate services at all (it still > needs to rely on the NIST server, of course, but we don’t need extra > services.) > > Anyhow, it’s awesome to see you work in this area. Like Chris Marusich > wrote, Guix is in a good position to address security issues, and you’re > obviously in a very good position to know what and how to improve the > state of things in Guix, so all hail! > > Ludo’. > > ¹ https://issues.guix.gnu.org/31442 > -- Regards, Bengt Richter