From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cFNNMLWgUWDlFAAA0tVLHw (envelope-from ) for ; Wed, 17 Mar 2021 06:24:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sAojLLWgUWCGTAAAbx9fmQ (envelope-from ) for ; Wed, 17 Mar 2021 06:24:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 689648E5A for ; Wed, 17 Mar 2021 07:24:53 +0100 (CET) Received: from localhost ([::1]:50984 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMPbw-0001qa-J0 for larch@yhetil.org; Wed, 17 Mar 2021 02:24:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33824) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMPbJ-0001pk-Hm for guix-devel@gnu.org; Wed, 17 Mar 2021 02:24:13 -0400 Received: from mail.zaclys.net ([178.33.93.72]:57401) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMPbF-0006vI-EO for guix-devel@gnu.org; Wed, 17 Mar 2021 02:24:13 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12H6O2xk044650 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 17 Mar 2021 07:24:02 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12H6O2xk044650 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615962242; bh=W4+jOZG9pTeq0nPmEsEP3H+Z4pscnPW42s4cEM6ioVM=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=VNCMwkUKZcRylGJh6ZHk3bNs1qV00GCMQUyk4Z+tHLqjOXT4WFiH7iqD6E8OdTeqX uxu1K4P7fDfyk00hJZXsrSHLy1DQehffeHFTeRaSOpxoQ30G/Wv+a4LrC4sFtduCGz qMGSThxkTIZmdmgMBMtS2/YxomFt8VnxIEx4P93c= Message-ID: <6550f60a302ab3f633fa121e665e66e419cb5cee.camel@zaclys.net> Subject: Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Bengt Richter , Leo Famulari Cc: Guix Devel Date: Wed, 17 Mar 2021 07:24:02 +0100 In-Reply-To: <20210316214611.GA17584@LionPure> References: <91998d12df3c4a279f46cf50b15d47c99e064a46.camel@zaclys.net> <20210316214611.GA17584@LionPure> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-kBeEcfb7ois5nQQ3Zdg4" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615962293; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=W4+jOZG9pTeq0nPmEsEP3H+Z4pscnPW42s4cEM6ioVM=; b=IjmVgEF+5vMJ+Kg5+QOKj/sghuZTXRjNPr4h+zytMRm08B4p9fDoi6TlU04TzybN4xsko6 vKH/D0JyRknmvGEQIx2ZF9Vi0YA0ryHWnAZSoPTVk37V7chpEpcktnCDMKfsnDoKtBKNtx 4WW1CxO0nx3VyKPcxj6yTeGUotna1aG10eDHofVlT1SV8F9j+SN1/Ab7wsW69iGdYNX3Br JPaukWMzF68cTd6qJZhRfBEjz7mvmb8o7Y5W6coMkXHW/7UB9bs7CCfooSHtyZA/J+nfUE XLSC0mjBfShDVepxlmRclU8u226Xcwh8Ab6SEwqZP3Gb3ITn9oB0jGHpqpyytA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615962293; a=rsa-sha256; cv=none; b=kcfQai+PT/Z5U2LNiUkbAdWcA7hhU4ZmT0JlGeYbHTKqPyUS2kcerFeNxmuqo0WI931XZP 7HBsEX25AzCn2lCpW9KYckwu8VGRIKkvx7SttHpdW7SSPB/t4FSno4ZLOFA3e6hJ2A73or Lx3LfuqW8DZ9fcQRQRoLaCSTXoooJsyqglcd2lk6bHAFeUrgLx2CFaKJrtKHRl/YkLJ0tf PaAW2KdptulM8miBSJMKMNwATByIn0gQDGSHqtVtV2gu/mnrZUGTutQ7wukaGp46Kbo8fh yVpmSS1DXk+wr+vT7cATiM+aZmjYZMHOxz+0m5/FaemmB13iRJsMvxCsuOpwUQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=VNCMwkUK; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.20 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=VNCMwkUK; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 689648E5A X-Spam-Score: -4.20 X-Migadu-Scanner: scn0.migadu.com X-TUID: oxahnmEDIwVu --=-kBeEcfb7ois5nQQ3Zdg4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2021-03-16 at 22:46 +0100, Bengt Richter wrote: > I would feel better about running guix on my laptop if I > knew all you developers had gotten together and elected > a "security czar" who is the most competent of you to monitor > security and also cares the most, and had the power to prevent > applying unreviewed patches, and making sure all CVEs are taken > care of, and kitchen doors not left open the way we did in the '50s. >=20 > Sorry if it sounds like I think guix security is lax. > Please convince me it's not so ;) >=20 > Thanks, nevertheless, for all the great technical work! >=20 > Just wish I could type > guix --what-and-who-am-I-trusting-q --full-report > and get a complete list, with batting averages of the > developers (regressions vs fixes), packages (estimated > number of times executed without problem, dangerous bugs > in development history, etc). >=20 > >=20 I think we can handle this without granting us any special powers, I like it that we don't have roles actually! We can discuss, debate, agree to common goals, I don't think we are going to enter into conflict, we hear each other, we communicate, I think that's a really good thing in GNU Guix :-D Lots of other communities enter into conflict fast and stop communicating, GNU Guix is not that, there's a spirit of goodwill of everyone and that's really pleasing to live as a contributor and user. --=-kBeEcfb7ois5nQQ3Zdg4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBRoIIACgkQRaix6GvN EKblXg/6Aqhk8YwcUXcyqnoMs7qs9CUCz9X69+ZOqf6Mxnv9vGPGrkLxcCT0L1Ol 8mUFB+EO7uzS78ibUKGPW7/u3rAzVDPIuK8ebrdzpuDY4W6yTfu5xL8C9ejQIdnP xYMBgr+lE5/1nvF73bEe1v+VAcjFSLRG4huqq4MCKq6j3o0hUXulhGnxJbb0lrdD Q7GHRC0LU+PWups1bnWUYPrHfs/TtTKR/Sk5nFzdAtOyrGSmEOxnySUUm97SheYj U+uQg1zgKQWmYxWGBtCCVLR4czqp9q6tZI0Wujzfqkr8WsIyvIdwDn9rU1c9TwKN lmqOcqkQYaZwXxGMAeITil5bXYYITmcLr8dqd6sXqbIsOg+DAvlP/L1lPb2z3JqE tE9EC9iZM4c6QrnZQxHvf+hKrba+OSPceDS0hga+yPJ+u+9/LkZ8tWVJCJEfdjhA j1zhXgay3gIgPJW9qWBmJqNRpDSj23OSZTE5yRYAzbgwmSOefQocD1H5shMpP3j5 U8/Lf9Vs2Q86faCOrdSqsyp/WiPWyQwiVAPjLTY5hNCephDcEVolAA4+b1GklI8v /3BKdLyExhY7KTzknKfaaZJNZKFD+lkWHd+gq56z1LqN3fLDqqF1vTwI7O3GMGCi 5FSsZSyIrCPGNWX8ZLIn7I7lT+TnOMICcM1rrWIbqYa+3705eXQ= =eUQm -----END PGP SIGNATURE----- --=-kBeEcfb7ois5nQQ3Zdg4--