unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: John Kehayias <john.kehayias@protonmail.com>
Cc: Guix Devel <guix-devel@gnu.org>, guix-maintainers@gnu.org
Subject: Re: Upgrading Guix's security team
Date: Thu, 16 Nov 2023 15:22:42 +0100	[thread overview]
Message-ID: <8734x5ydzh.fsf@gnu.org> (raw)
In-Reply-To: <87cyxt9iwm.fsf@protonmail.com> (John Kehayias's message of "Thu,  05 Oct 2023 15:41:00 +0000")

Hi John,

Looks like this message was left unanswered for more than a month, which
proves you have a point!

John Kehayias <john.kehayias@protonmail.com> skribis:

> - current security email/people can be found here, which is nicely
> visible <https://guix.gnu.org/en/security/> yet probably in need of a
> hand and new faces for an important but often thankless job; no fault
> to them or Guix as a whole, merely a good time to see how we can keep
> improving

Yes, we definitely need a rotation here!  I for one have my name there
but regardless of my interest, I have to admit that I’ve been unable to
be sufficiently responsive.  It’s time to let new folks take
responsibility.

I think we should make this a fixed-term position, to make it easier for
people to commit to actually being active when needed, with the
understanding that it’s not a commitment for life.

> - currently we are not on the OS security distribution contact list:
> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> had been discussed before but we will need commitment from people
>
> - clear roles will be helpful; to me this includes at least a couple
> of people to coordinate (the majority of security issues will be
> handled through package upgrades/grafts) and people to help review
> and/or contact needed experts, like for Guix internal issues; we
> should make this more precise

We could distinguish security issues in packages provided by Guix from
security issues in Guix itself.

That said, the security team could redirect things to members of the
“core” team for security issues in Guix itself; maybe we don’t need to
formally separate the two.

> - likewise, a clear fixed timeframe for who is on this team; keeping
> people fresh and engaged for what can suddenly be a time sensitive and
> critical job; I think this will also help spread institutional
> knowledge for better security practices in general

+1!

> - members need not be experts but should be active in the community as
> committers (already a round of vetting), familiar with what issues and
> processes may arise, and willing to learn; perhaps we need a list of
> experts to consult though the current teams are a good starting point

+1

> - what are your thoughts? what are the goals and outcomes we as a
> distro want in security?
>
> - finally, I think an internal discussion with maintainers and long
> time active committers would be helpful to get the improvements
> started and moving, in addition to this wider discussion here
>
> And to get things started, I'm happy to volunteer myself to help
> coordinate on security, if deemed okay by our current security team,
> maintainers, and anyone else that's been helping to handle security. A
> coordinating role with a term of say 6 months to a year? Happy to
> provide more information and discuss here or privately; in short I'm
> not a security expert but have time and bandwidth to keep things
> moving and want to learn.

Thank you for getting the ball moving!

I’m all for having you on board and, to set an example, to leave as you
join.

If maintainers agree (Cc’d), I invite you to add your name and a
termination date to the security page, remove my name, and subscribe to
guix-security.  We should add a term for other people on the team too.

How does that sound?

Ludo’.


  reply	other threads:[~2023-11-16 14:23 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-05 15:41 Upgrading Guix's security team John Kehayias
2023-11-16 14:22 ` Ludovic Courtès [this message]
2023-11-16 15:15   ` Andreas Enge
2023-11-18  4:31   ` Maxim Cournoyer
2023-11-18 19:18     ` Efraim Flashner
2023-11-22 18:16       ` Ludovic Courtès
2023-11-22 18:39         ` Leo Famulari
2023-11-22 19:02           ` Tobias Geerinckx-Rice
2023-12-09 10:55             ` Ludovic Courtès
2023-11-23  6:50         ` John Kehayias
2023-11-29 16:15         ` Simon Tournier
2024-02-05 19:34   ` Hartmut Goebel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8734x5ydzh.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=guix-maintainers@gnu.org \
    --cc=john.kehayias@protonmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).