unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: John Kehayias <john.kehayias@protonmail.com>
To: Guix Devel <guix-devel@gnu.org>
Subject: Upgrading Guix's security team
Date: Thu, 05 Oct 2023 15:41:00 +0000	[thread overview]
Message-ID: <87cyxt9iwm.fsf@protonmail.com> (raw)

Hi Guixers!

In light of the several high profile CVEs this month, which were/are being handled and more coming (curl joins the chat) some of us were discussing improving and systematizing our security team and responses. My thanks to Tobias for quick review to help finalize the XOrg CVE grafts, to Liliana for the pending glibc fix (see <https://issues.guix.gnu.org/66348>) and updating curl in preparation for a critical CVE update, and Ludo for getting this discussion started.

Here are some quick thoughts/ideas that came up for comment:

- current security email/people can be found here, which is nicely visible <https://guix.gnu.org/en/security/> yet probably in need of a hand and new faces for an important but often thankless job; no fault to them or Guix as a whole, merely a good time to see how we can keep improving

- currently we are not on the OS security distribution contact list: <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this had been discussed before but we will need commitment from people

- clear roles will be helpful; to me this includes at least a couple of people to coordinate (the majority of security issues will be handled through package upgrades/grafts) and people to help review and/or contact needed experts, like for Guix internal issues; we should make this more precise

- likewise, a clear fixed timeframe for who is on this team; keeping people fresh and engaged for what can suddenly be a time sensitive and critical job; I think this will also help spread institutional knowledge for better security practices in general

- members need not be experts but should be active in the community as committers (already a round of vetting), familiar with what issues and processes may arise, and willing to learn; perhaps we need a list of experts to consult though the current teams are a good starting point

- what are your thoughts? what are the goals and outcomes we as a distro want in security?

- finally, I think an internal discussion with maintainers and long time active committers would be helpful to get the improvements started and moving, in addition to this wider discussion here

And to get things started, I'm happy to volunteer myself to help coordinate on security, if deemed okay by our current security team, maintainers, and anyone else that's been helping to handle security. A coordinating role with a term of say 6 months to a year? Happy to provide more information and discuss here or privately; in short I'm not a security expert but have time and bandwidth to keep things moving and want to learn.

Thanks everyone, and here's to hoping the spooky season is full of fun and candy and less CVEs!

John Kehayias



             reply	other threads:[~2023-10-05 15:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-05 15:41 John Kehayias [this message]
2023-11-16 14:22 ` Upgrading Guix's security team Ludovic Courtès
2023-11-16 15:15   ` Andreas Enge
2023-11-18  4:31   ` Maxim Cournoyer
2023-11-18 19:18     ` Efraim Flashner
2023-11-22 18:16       ` Ludovic Courtès
2023-11-22 18:39         ` Leo Famulari
2023-11-22 19:02           ` Tobias Geerinckx-Rice
2023-12-09 10:55             ` Ludovic Courtès
2023-11-23  6:50         ` John Kehayias
2023-11-29 16:15         ` Simon Tournier
2024-02-05 19:34   ` Hartmut Goebel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87cyxt9iwm.fsf@protonmail.com \
    --to=john.kehayias@protonmail.com \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).