From: ludo@gnu.org (Ludovic Courtès)
To: hellekin <hellekin@gnu.org>
Cc: Guix <guix-devel@gnu.org>, JordiGH <jordigh@octave.org>,
Zak Rogoff <zak@fsf.org>, Josh King <joshking@newamerica.net>
Subject: Re: GNU30 Security Hackathon
Date: Thu, 12 Sep 2013 14:39:37 +0200 [thread overview]
Message-ID: <87a9jinrhy.fsf@gnu.org> (raw)
In-Reply-To: <52306D24.2020906@gnu.org> (hellekin@gnu.org's message of "Wed, 11 Sep 2013 10:16:20 -0300")
[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]
Hello,
hellekin <hellekin@gnu.org> skribis:
> My objective with this email is to gather a list of suggestions as to
> where to put the effort on your various projects, in order to make it
> more convenient for them to choose. I'm willing to gather
> security-related bugs that they can look into and fix over a period of
> 3 days (obviously not full time), or ideas for useful tools related to
> privacy or security.
This sounds like a great initiative.
For Guix, a bug that we have is that pre-built binaries downloaded from
hydra.gnu.org are not cryptographically signed. Note that, unlike most
other distros, binaries are not uploaded manually by the package
maintainer; instead, the build farm at hydra.gnu.org just builds all the
packages using recipes from the Guix repo, and publishes the binaries
over HTTP.
So the fix is twofold: first Hydra (the software behind hydra.gnu.org)
needs to be modified to produce and publish digital signatures; second
Guix’s “substituter” (the program that fetches pre-built binaries) needs
to actually fetch those signatures and check against them.
Ways to do it have been discussed before:
http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html
http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html
I think the task could fit the kind of hackathon you describe.
Technically Hydra is written in Perl, and Guix is written in Scheme.
Guix is a GNU package; Hydra is not, and Guix is not its only user.
It’s unlikely that Guix hackers will be physically present, but
hopefully you can find someone on #guix on Freenode!
Thanks,
Ludo’.
[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]
prev parent reply other threads:[~2013-09-12 12:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-11 13:16 GNU30 Security Hackathon hellekin
2013-09-11 13:38 ` Jordi Gutiérrez Hermoso
2013-09-12 12:39 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a9jinrhy.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=hellekin@gnu.org \
--cc=jordigh@octave.org \
--cc=joshking@newamerica.net \
--cc=zak@fsf.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).