From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 4PDGJqDZHmWM0wAA9RJhRA:P1 (envelope-from ) for ; Thu, 05 Oct 2023 17:43:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 4PDGJqDZHmWM0wAA9RJhRA (envelope-from ) for ; Thu, 05 Oct 2023 17:43:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4A3D5477F0 for ; Thu, 5 Oct 2023 17:43:28 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=gAcp2K0+; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1696520608; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=lMv4GfdvYoOfd3FN0C6vcJL5Qo7ecTUyfcQjDsOtO/k=; b=LaU0WJYe2Ay5FgXqpypEobgTIUJRi0KO5EzbD4FdrEt1lQ5k25vXpjGs4eRHeBjpnDKEOW FlPDh5pfh99eMPOM8we/XV1mGkL+5zp6GPuyFZYH94HImjQVdE7NmWVEflGC2yMhnS6Ky8 RpFXrmeMLeOhmLEfX9MGB4agMOGnnnPqWr+R28aFncf8oclO43H/hiwer/PwfZ2HuDtOnF woaY45LuQKHb/NuzFubSdDWkbAo9HWXLu39ZDXISWhTctwHNF29Www9HcHE3qKoHiKbeoH 3HPPmIXuczj2+bdofZibGQqRrSlmIzkXaY2hrm39vmXcXYLdnMApcUQGBCDb5A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1696520608; a=rsa-sha256; cv=none; b=cKW4DIZ+nAarh7vlcOAX4eVdyqL/Ev66IyhXy9/qix1F4ST1RXSxKmkiJUnB8zzCJcCImu AZnXr8xcclVTf+xbZPqjfI0B6JOUUpeGx0RsnhbY6m83h+009QdR9CdiX4hHs34Sk4wD+c u6PfladLZ3wEy0DHONihwfhPXDo+vtDbIu0ysdvsMkPGIcIZREwTzg9eOUGP3UHp/WGk5U wdeP1exYjrQE5ReN020iOGsw5tzpu6bpLmkNuRgwE2y4e/d4MtRAWGeugQk6n2SY4k1Zsr fpgd4kTwvBPWuMWInOwToGc2/RPUEJeeFJoU+1tCyvJFvyiaZ269S5jc7DWFig== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=gAcp2K0+; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qoQVH-0003vK-Bj; Thu, 05 Oct 2023 11:43:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qoQVC-0003uu-I7 for guix-devel@gnu.org; Thu, 05 Oct 2023 11:43:03 -0400 Received: from mail-4316.protonmail.ch ([185.70.43.16]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qoQV9-0002Ji-Vb for guix-devel@gnu.org; Thu, 05 Oct 2023 11:43:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1696520568; x=1696779768; bh=lMv4GfdvYoOfd3FN0C6vcJL5Qo7ecTUyfcQjDsOtO/k=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=gAcp2K0+7fP5TcMmQu/byVnVrYI8na6lxhDDWd4D69ztjRorZT8aJAqmh0x3mQ9Ks I3CYHh5fu68whCgrLTxn40KuEsc2DSihbQK52jQyPUJ88KHUBrxlJH3C/9esHhMJ0j n6GD0F5vy4tGP66QAaDCPGVczXRXqa34dqnmgWaD19UUHRJt8uyy1lbnP5nhSUXqGP Ybgf72qfboX4Lo6NV0fyxTdsZpjIQoQI0Np0aFUrOQFQ+d2lTnFnw6fxjHEm6WMmne W1VUuxEka5HNvu8TgWpZPMfXO8QE0HYnWEK/o1iUA9h0+5s1sLIkVNX7pe0xVI0I83 99v7OsSacPnlg== Date: Thu, 05 Oct 2023 15:41:00 +0000 To: Guix Devel From: John Kehayias Subject: Upgrading Guix's security team Message-ID: <87cyxt9iwm.fsf@protonmail.com> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.43.16; envelope-from=john.kehayias@protonmail.com; helo=mail-4316.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx0.migadu.com X-Migadu-Spam-Score: -9.62 X-Spam-Score: -9.62 X-Migadu-Queue-Id: 4A3D5477F0 X-TUID: ulNHkRR3V2qt Hi Guixers! In light of the several high profile CVEs this month, which were/are being = handled and more coming (curl joins the chat) some of us were discussing im= proving and systematizing our security team and responses. My thanks to Tob= ias for quick review to help finalize the XOrg CVE grafts, to Liliana for t= he pending glibc fix (see ) and updating= curl in preparation for a critical CVE update, and Ludo for getting this d= iscussion started. Here are some quick thoughts/ideas that came up for comment: - current security email/people can be found here, which is nicely visible = yet probably in need of a hand and new = faces for an important but often thankless job; no fault to them or Guix as= a whole, merely a good time to see how we can keep improving - currently we are not on the OS security distribution contact list: ; this had been dis= cussed before but we will need commitment from people - clear roles will be helpful; to me this includes at least a couple of peo= ple to coordinate (the majority of security issues will be handled through = package upgrades/grafts) and people to help review and/or contact needed ex= perts, like for Guix internal issues; we should make this more precise - likewise, a clear fixed timeframe for who is on this team; keeping people= fresh and engaged for what can suddenly be a time sensitive and critical j= ob; I think this will also help spread institutional knowledge for better s= ecurity practices in general - members need not be experts but should be active in the community as comm= itters (already a round of vetting), familiar with what issues and processe= s may arise, and willing to learn; perhaps we need a list of experts to con= sult though the current teams are a good starting point - what are your thoughts? what are the goals and outcomes we as a distro wa= nt in security? - finally, I think an internal discussion with maintainers and long time ac= tive committers would be helpful to get the improvements started and moving= , in addition to this wider discussion here And to get things started, I'm happy to volunteer myself to help coordinate= on security, if deemed okay by our current security team, maintainers, and= anyone else that's been helping to handle security. A coordinating role wi= th a term of say 6 months to a year? Happy to provide more information and = discuss here or privately; in short I'm not a security expert but have time= and bandwidth to keep things moving and want to learn. Thanks everyone, and here's to hoping the spooky season is full of fun and = candy and less CVEs! John Kehayias