Hey,

In May last year (2020), I submitted an application to NLNet. The work I
set out wasn't something I was doing at the time, but something I hadn't
yet found time to work on, tooling specifically around security issues.

The application got a bit lost, probably somewhat down to email issues
on my end. Anyway, things picked up again in February of this year
(2021), and this is now something I'm looking to do roughly over the
next 8 months.

I've been working on stuff in and around Guix for I think around 5 years
now, and in that time I have attempted some big projects, particularly
things like the Guix Data Service and Guix Build Coordinator. I've fit
all of that around a regular non-Guix related work. The support of NLNet
means I'm able to set aside more time for Guix and this work, exactly
how much more time I can dedicate is something I'm still working on.

There's a more complete description of the aims and tasks here [1], this
email is effectively the start of the work. I want to get lots of input
and feedback on the plans I've set out, as well as checking if there's
any related or overlapping work going on.

1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/

I'm particularly excited by some of the initial work. I'm hoping getting
some initial version of Guix Data Service subscriptions in place will
open up loads of opportunities, and getting data about package
replacements (grafts) in to the Guix Data Service will be generally
helpful as well.

Once that's in place, I want to tackle 3 areas: security issues from a
project perspective, security issues from a individual user perspective
and prototype some enhancements to the patch review process,
specifically around security.

In terms of looking at security from a project perspective, I'm thinking
about these kinds of needs/questions:

 - What security issues affect this revision of Guix? (latest or otherwise)

 - How do Guix contributors find out about new security issues that
   affect Guix revisions they're interested in?

From the user perspective, I want to look at things like:

 - How do I find out what (if any) security issues affect the software
   I'm currently running (through Guix)?

 - How can I get notified when a new security issue affects the software
   I'm currently running (through Guix)?

Please let me know if you have any comments or questions!

Thanks,

Chris