From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: GNU30 Security Hackathon Date: Thu, 12 Sep 2013 14:39:37 +0200 Message-ID: <87a9jinrhy.fsf@gnu.org> References: <52306D24.2020906@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39923) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VK6GO-0005uG-L8 for guix-devel@gnu.org; Thu, 12 Sep 2013 08:44:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VK6GJ-00086K-39 for guix-devel@gnu.org; Thu, 12 Sep 2013 08:44:48 -0400 In-Reply-To: <52306D24.2020906@gnu.org> (hellekin@gnu.org's message of "Wed, 11 Sep 2013 10:16:20 -0300") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: hellekin Cc: Guix , JordiGH , Zak Rogoff , Josh King --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, hellekin skribis: > My objective with this email is to gather a list of suggestions as to > where to put the effort on your various projects, in order to make it > more convenient for them to choose. I'm willing to gather > security-related bugs that they can look into and fix over a period of > 3 days (obviously not full time), or ideas for useful tools related to > privacy or security. This sounds like a great initiative. For Guix, a bug that we have is that pre-built binaries downloaded from hydra.gnu.org are not cryptographically signed. Note that, unlike most other distros, binaries are not uploaded manually by the package maintainer; instead, the build farm at hydra.gnu.org just builds all the packages using recipes from the Guix repo, and publishes the binaries over HTTP. So the fix is twofold: first Hydra (the software behind hydra.gnu.org) needs to be modified to produce and publish digital signatures; second Guix=E2=80=99s =E2=80=9Csubstituter=E2=80=9D (the program that fetches pre-= built binaries) needs to actually fetch those signatures and check against them. Ways to do it have been discussed before: http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html I think the task could fit the kind of hackathon you describe. Technically Hydra is written in Perl, and Guix is written in Scheme. Guix is a GNU package; Hydra is not, and Guix is not its only user. It=E2=80=99s unlikely that Guix hackers will be physically present, but hopefully you can find someone on #guix on Freenode! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iEYEARECAAYFAlIxtgwACgkQd92V4upS7PSwygCbBfIh/ORBfHzxjVzEgqGSi+wu hEEAn27EBSbt3kObtEfYeEJKjDnRmVxB =X3kv -----END PGP SIGNATURE----- --=-=-=--