From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: GNU30 Security Hackathon
Date: Thu, 12 Sep 2013 14:39:37 +0200
Message-ID: <87a9jinrhy.fsf@gnu.org>
References: <52306D24.2020906@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39923)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VK6GO-0005uG-L8
	for guix-devel@gnu.org; Thu, 12 Sep 2013 08:44:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1VK6GJ-00086K-39
	for guix-devel@gnu.org; Thu, 12 Sep 2013 08:44:48 -0400
In-Reply-To: <52306D24.2020906@gnu.org> (hellekin@gnu.org's message of "Wed,
	11 Sep 2013 10:16:20 -0300")
List-Id: <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: hellekin <hellekin@gnu.org>
Cc: Guix <guix-devel@gnu.org>, JordiGH <jordigh@octave.org>, Zak Rogoff <zak@fsf.org>, Josh King <joshking@newamerica.net>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello,

hellekin <hellekin@gnu.org> skribis:

> My objective with this email is to gather a list of suggestions as to
> where to put the effort on your various projects, in order to make it
> more convenient for them to choose. I'm willing to gather
> security-related bugs that they can look into and fix over a period of
> 3 days (obviously not full time), or ideas for useful tools related to
> privacy or security.

This sounds like a great initiative.

For Guix, a bug that we have is that pre-built binaries downloaded from
hydra.gnu.org are not cryptographically signed.  Note that, unlike most
other distros, binaries are not uploaded manually by the package
maintainer; instead, the build farm at hydra.gnu.org just builds all the
packages using recipes from the Guix repo, and publishes the binaries
over HTTP.

So the fix is twofold: first Hydra (the software behind hydra.gnu.org)
needs to be modified to produce and publish digital signatures; second
Guix=E2=80=99s =E2=80=9Csubstituter=E2=80=9D (the program that fetches pre-=
built binaries) needs
to actually fetch those signatures and check against them.

Ways to do it have been discussed before:

  http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html
  http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html

I think the task could fit the kind of hackathon you describe.
Technically Hydra is written in Perl, and Guix is written in Scheme.
Guix is a GNU package; Hydra is not, and Guix is not its only user.

It=E2=80=99s unlikely that Guix hackers will be physically present, but
hopefully you can find someone on #guix on Freenode!

Thanks,
Ludo=E2=80=99.

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iEYEARECAAYFAlIxtgwACgkQd92V4upS7PSwygCbBfIh/ORBfHzxjVzEgqGSi+wu
hEEAn27EBSbt3kObtEfYeEJKjDnRmVxB
=X3kv
-----END PGP SIGNATURE-----
--=-=-=--