* Upgrading Guix's security team
@ 2023-10-05 15:41 John Kehayias
2023-11-16 14:22 ` Ludovic Courtès
0 siblings, 1 reply; 12+ messages in thread
From: John Kehayias @ 2023-10-05 15:41 UTC (permalink / raw)
To: Guix Devel
Hi Guixers!
In light of the several high profile CVEs this month, which were/are being handled and more coming (curl joins the chat) some of us were discussing improving and systematizing our security team and responses. My thanks to Tobias for quick review to help finalize the XOrg CVE grafts, to Liliana for the pending glibc fix (see <https://issues.guix.gnu.org/66348>) and updating curl in preparation for a critical CVE update, and Ludo for getting this discussion started.
Here are some quick thoughts/ideas that came up for comment:
- current security email/people can be found here, which is nicely visible <https://guix.gnu.org/en/security/> yet probably in need of a hand and new faces for an important but often thankless job; no fault to them or Guix as a whole, merely a good time to see how we can keep improving
- currently we are not on the OS security distribution contact list: <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this had been discussed before but we will need commitment from people
- clear roles will be helpful; to me this includes at least a couple of people to coordinate (the majority of security issues will be handled through package upgrades/grafts) and people to help review and/or contact needed experts, like for Guix internal issues; we should make this more precise
- likewise, a clear fixed timeframe for who is on this team; keeping people fresh and engaged for what can suddenly be a time sensitive and critical job; I think this will also help spread institutional knowledge for better security practices in general
- members need not be experts but should be active in the community as committers (already a round of vetting), familiar with what issues and processes may arise, and willing to learn; perhaps we need a list of experts to consult though the current teams are a good starting point
- what are your thoughts? what are the goals and outcomes we as a distro want in security?
- finally, I think an internal discussion with maintainers and long time active committers would be helpful to get the improvements started and moving, in addition to this wider discussion here
And to get things started, I'm happy to volunteer myself to help coordinate on security, if deemed okay by our current security team, maintainers, and anyone else that's been helping to handle security. A coordinating role with a term of say 6 months to a year? Happy to provide more information and discuss here or privately; in short I'm not a security expert but have time and bandwidth to keep things moving and want to learn.
Thanks everyone, and here's to hoping the spooky season is full of fun and candy and less CVEs!
John Kehayias
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-10-05 15:41 Upgrading Guix's security team John Kehayias
@ 2023-11-16 14:22 ` Ludovic Courtès
2023-11-16 15:15 ` Andreas Enge
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Ludovic Courtès @ 2023-11-16 14:22 UTC (permalink / raw)
To: John Kehayias; +Cc: Guix Devel, guix-maintainers
Hi John,
Looks like this message was left unanswered for more than a month, which
proves you have a point!
John Kehayias <john.kehayias@protonmail.com> skribis:
> - current security email/people can be found here, which is nicely
> visible <https://guix.gnu.org/en/security/> yet probably in need of a
> hand and new faces for an important but often thankless job; no fault
> to them or Guix as a whole, merely a good time to see how we can keep
> improving
Yes, we definitely need a rotation here! I for one have my name there
but regardless of my interest, I have to admit that I’ve been unable to
be sufficiently responsive. It’s time to let new folks take
responsibility.
I think we should make this a fixed-term position, to make it easier for
people to commit to actually being active when needed, with the
understanding that it’s not a commitment for life.
> - currently we are not on the OS security distribution contact list:
> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> had been discussed before but we will need commitment from people
>
> - clear roles will be helpful; to me this includes at least a couple
> of people to coordinate (the majority of security issues will be
> handled through package upgrades/grafts) and people to help review
> and/or contact needed experts, like for Guix internal issues; we
> should make this more precise
We could distinguish security issues in packages provided by Guix from
security issues in Guix itself.
That said, the security team could redirect things to members of the
“core” team for security issues in Guix itself; maybe we don’t need to
formally separate the two.
> - likewise, a clear fixed timeframe for who is on this team; keeping
> people fresh and engaged for what can suddenly be a time sensitive and
> critical job; I think this will also help spread institutional
> knowledge for better security practices in general
+1!
> - members need not be experts but should be active in the community as
> committers (already a round of vetting), familiar with what issues and
> processes may arise, and willing to learn; perhaps we need a list of
> experts to consult though the current teams are a good starting point
+1
> - what are your thoughts? what are the goals and outcomes we as a
> distro want in security?
>
> - finally, I think an internal discussion with maintainers and long
> time active committers would be helpful to get the improvements
> started and moving, in addition to this wider discussion here
>
> And to get things started, I'm happy to volunteer myself to help
> coordinate on security, if deemed okay by our current security team,
> maintainers, and anyone else that's been helping to handle security. A
> coordinating role with a term of say 6 months to a year? Happy to
> provide more information and discuss here or privately; in short I'm
> not a security expert but have time and bandwidth to keep things
> moving and want to learn.
Thank you for getting the ball moving!
I’m all for having you on board and, to set an example, to leave as you
join.
If maintainers agree (Cc’d), I invite you to add your name and a
termination date to the security page, remove my name, and subscribe to
guix-security. We should add a term for other people on the team too.
How does that sound?
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-16 14:22 ` Ludovic Courtès
@ 2023-11-16 15:15 ` Andreas Enge
2023-11-18 4:31 ` Maxim Cournoyer
2024-02-05 19:34 ` Hartmut Goebel
2 siblings, 0 replies; 12+ messages in thread
From: Andreas Enge @ 2023-11-16 15:15 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: John Kehayias, Guix Devel, guix-maintainers
Hello,
Am Thu, Nov 16, 2023 at 03:22:42PM +0100 schrieb Ludovic Courtès:
> Yes, we definitely need a rotation here! I for one have my name there
> but regardless of my interest, I have to admit that I’ve been unable to
> be sufficiently responsive. It’s time to let new folks take
> responsibility.
> I think we should make this a fixed-term position, to make it easier for
> people to commit to actually being active when needed, with the
> understanding that it’s not a commitment for life.
all this sounds good. Maybe we should also clean up the mailing list.
I am on the list, but not mentioned on the security team site, and will
be happy to be removed. (My being here probably comes from a mismatch
between being interested in "security" and knowing things about "crypto-
graphy", and my inability to act upon concrete situations of security
problems in packages.)
Andreas
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-16 14:22 ` Ludovic Courtès
2023-11-16 15:15 ` Andreas Enge
@ 2023-11-18 4:31 ` Maxim Cournoyer
2023-11-18 19:18 ` Efraim Flashner
2024-02-05 19:34 ` Hartmut Goebel
2 siblings, 1 reply; 12+ messages in thread
From: Maxim Cournoyer @ 2023-11-18 4:31 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: John Kehayias, Guix Devel, guix-maintainers
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
> Yes, we definitely need a rotation here! I for one have my name there
> but regardless of my interest, I have to admit that I’ve been unable to
> be sufficiently responsive. It’s time to let new folks take
> responsibility.
>
> I think we should make this a fixed-term position, to make it easier for
> people to commit to actually being active when needed, with the
> understanding that it’s not a commitment for life.
>
>> - currently we are not on the OS security distribution contact list:
>> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
>> had been discussed before but we will need commitment from people
>>
>> - clear roles will be helpful; to me this includes at least a couple
>> of people to coordinate (the majority of security issues will be
>> handled through package upgrades/grafts) and people to help review
>> and/or contact needed experts, like for Guix internal issues; we
>> should make this more precise
>
> We could distinguish security issues in packages provided by Guix from
> security issues in Guix itself.
>
> That said, the security team could redirect things to members of the
> “core” team for security issues in Guix itself; maybe we don’t need to
> formally separate the two.
>
>> - likewise, a clear fixed timeframe for who is on this team; keeping
>> people fresh and engaged for what can suddenly be a time sensitive and
>> critical job; I think this will also help spread institutional
>> knowledge for better security practices in general
>
> +1!
>
>> - members need not be experts but should be active in the community as
>> committers (already a round of vetting), familiar with what issues and
>> processes may arise, and willing to learn; perhaps we need a list of
>> experts to consult though the current teams are a good starting point
>
> +1
>
>> - what are your thoughts? what are the goals and outcomes we as a
>> distro want in security?
>>
>> - finally, I think an internal discussion with maintainers and long
>> time active committers would be helpful to get the improvements
>> started and moving, in addition to this wider discussion here
>>
>> And to get things started, I'm happy to volunteer myself to help
>> coordinate on security, if deemed okay by our current security team,
>> maintainers, and anyone else that's been helping to handle security. A
>> coordinating role with a term of say 6 months to a year? Happy to
>> provide more information and discuss here or privately; in short I'm
>> not a security expert but have time and bandwidth to keep things
>> moving and want to learn.
>
> Thank you for getting the ball moving!
>
> I’m all for having you on board and, to set an example, to leave as you
> join.
>
> If maintainers agree (Cc’d), I invite you to add your name and a
> termination date to the security page, remove my name, and subscribe to
> guix-security. We should add a term for other people on the team too.
>
> How does that sound?
Sounds good to me!
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-18 4:31 ` Maxim Cournoyer
@ 2023-11-18 19:18 ` Efraim Flashner
2023-11-22 18:16 ` Ludovic Courtès
0 siblings, 1 reply; 12+ messages in thread
From: Efraim Flashner @ 2023-11-18 19:18 UTC (permalink / raw)
To: Maxim Cournoyer
Cc: Ludovic Courtès, John Kehayias, Guix Devel, guix-maintainers
[-- Attachment #1: Type: text/plain, Size: 3556 bytes --]
On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
> Hi,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
> > Yes, we definitely need a rotation here! I for one have my name there
> > but regardless of my interest, I have to admit that I’ve been unable to
> > be sufficiently responsive. It’s time to let new folks take
> > responsibility.
> >
> > I think we should make this a fixed-term position, to make it easier for
> > people to commit to actually being active when needed, with the
> > understanding that it’s not a commitment for life.
> >
> >> - currently we are not on the OS security distribution contact list:
> >> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> >> had been discussed before but we will need commitment from people
> >>
> >> - clear roles will be helpful; to me this includes at least a couple
> >> of people to coordinate (the majority of security issues will be
> >> handled through package upgrades/grafts) and people to help review
> >> and/or contact needed experts, like for Guix internal issues; we
> >> should make this more precise
> >
> > We could distinguish security issues in packages provided by Guix from
> > security issues in Guix itself.
> >
> > That said, the security team could redirect things to members of the
> > “core” team for security issues in Guix itself; maybe we don’t need to
> > formally separate the two.
> >
> >> - likewise, a clear fixed timeframe for who is on this team; keeping
> >> people fresh and engaged for what can suddenly be a time sensitive and
> >> critical job; I think this will also help spread institutional
> >> knowledge for better security practices in general
> >
> > +1!
> >
> >> - members need not be experts but should be active in the community as
> >> committers (already a round of vetting), familiar with what issues and
> >> processes may arise, and willing to learn; perhaps we need a list of
> >> experts to consult though the current teams are a good starting point
> >
> > +1
> >
> >> - what are your thoughts? what are the goals and outcomes we as a
> >> distro want in security?
> >>
> >> - finally, I think an internal discussion with maintainers and long
> >> time active committers would be helpful to get the improvements
> >> started and moving, in addition to this wider discussion here
> >>
> >> And to get things started, I'm happy to volunteer myself to help
> >> coordinate on security, if deemed okay by our current security team,
> >> maintainers, and anyone else that's been helping to handle security. A
> >> coordinating role with a term of say 6 months to a year? Happy to
> >> provide more information and discuss here or privately; in short I'm
> >> not a security expert but have time and bandwidth to keep things
> >> moving and want to learn.
> >
> > Thank you for getting the ball moving!
> >
> > I’m all for having you on board and, to set an example, to leave as you
> > join.
> >
> > If maintainers agree (Cc’d), I invite you to add your name and a
> > termination date to the security page, remove my name, and subscribe to
> > guix-security. We should add a term for other people on the team too.
> >
> > How does that sound?
>
> Sounds good to me!
Sounds good to me too.
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-18 19:18 ` Efraim Flashner
@ 2023-11-22 18:16 ` Ludovic Courtès
2023-11-22 18:39 ` Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Ludovic Courtès @ 2023-11-22 18:16 UTC (permalink / raw)
To: Maxim Cournoyer
Cc: John Kehayias, Guix Devel, guix-maintainers, Leo Famulari,
Tobias Geerinckx-Rice, Andreas Enge
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
[...]
>> > If maintainers agree (Cc’d), I invite you to add your name and a
>> > termination date to the security page, remove my name, and subscribe to
>> > guix-security. We should add a term for other people on the team too.
>> >
>> > How does that sound?
>>
>> Sounds good to me!
>
> Sounds good to me too.
I added John and removed myself from the security page in guix-artwork
commit 1bd9d383cc1de4cf0eb220129c065a98332b798b.
I’ve also unsubscribed Andreas and myself from the list; there are now 4
people subscribed (we should check whether the 4th person wants to be
officially involved).
Leo, Tobias, and John: What would be a good end-of-term date for each
one of you? As I see it, it wouldn’t mean you cannot do an additional
term but rather that you’ll have an opportunity to leave and that you’ll
do your best to be around by then.
Thanks again for volunteering, John!
Ludo’.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-22 18:16 ` Ludovic Courtès
@ 2023-11-22 18:39 ` Leo Famulari
2023-11-22 19:02 ` Tobias Geerinckx-Rice
2023-11-23 6:50 ` John Kehayias
2023-11-29 16:15 ` Simon Tournier
2 siblings, 1 reply; 12+ messages in thread
From: Leo Famulari @ 2023-11-22 18:39 UTC (permalink / raw)
To: Ludovic Courtès
Cc: Maxim Cournoyer, John Kehayias, Guix Devel, guix-maintainers,
Tobias Geerinckx-Rice, Andreas Enge
On Wed, Nov 22, 2023 at 07:16:21PM +0100, Ludovic Courtès wrote:
> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you? As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.
I think my end date should be ASAP. I'm sure everyone noticed that I
haven't been very involved in Guix lately, and I don't know when I can
be more involved again.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-22 18:16 ` Ludovic Courtès
2023-11-22 18:39 ` Leo Famulari
@ 2023-11-23 6:50 ` John Kehayias
2023-11-29 16:15 ` Simon Tournier
2 siblings, 0 replies; 12+ messages in thread
From: John Kehayias @ 2023-11-23 6:50 UTC (permalink / raw)
To: Ludovic Courtès
Cc: Maxim Cournoyer, Guix Devel, guix-maintainers, Leo Famulari,
Tobias Geerinckx-Rice, Andreas Enge
Hi Ludo’ and everyone else,
On Wed, Nov 22, 2023 at 07:16 PM, Ludovic Courtès wrote:
> Hello,
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
>> On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
>
> [...]
>
>>> > If maintainers agree (Cc’d), I invite you to add your name and a
>>> > termination date to the security page, remove my name, and subscribe to
>>> > guix-security. We should add a term for other people on the team too.
>>> >
>>> > How does that sound?
>>>
>>> Sounds good to me!
>>
>> Sounds good to me too.
>
> I added John and removed myself from the security page in guix-artwork
> commit 1bd9d383cc1de4cf0eb220129c065a98332b798b.
>
Thanks and happy to be a part of the team!
> I’ve also unsubscribed Andreas and myself from the list; there are now 4
> people subscribed (we should check whether the 4th person wants to be
> officially involved).
>
> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you? As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.
>
Seeing as how I'm often away from any Guix computers for a few weeks
at a time over the summer, let me say roughly 6 months, ending on May
15th.
As you say, likely I would be happy to continue, though parts of
summer I tend to be away so it would be good to not have us
shorthanded then. Or maybe staggering when people join/leave with some
overlap is a good plan.
> Thanks again for volunteering, John!
>
> Ludo’.
Welcome and hoping to serve the Guix community well!
John
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-22 18:16 ` Ludovic Courtès
2023-11-22 18:39 ` Leo Famulari
2023-11-23 6:50 ` John Kehayias
@ 2023-11-29 16:15 ` Simon Tournier
2 siblings, 0 replies; 12+ messages in thread
From: Simon Tournier @ 2023-11-29 16:15 UTC (permalink / raw)
To: Ludovic Courtès, Maxim Cournoyer
Cc: John Kehayias, Guix Devel, guix-maintainers, Leo Famulari,
Tobias Geerinckx-Rice, Andreas Enge
Hi,
On mer., 22 nov. 2023 at 19:16, Ludovic Courtès <ludo@gnu.org> wrote:
> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you? As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.
I think all this should be encoded in some RFC as proposed in:
Request-For-Comment process: concrete implementation
Simon Tournier <zimon.toutoune@gmail.com>
Tue, 31 Oct 2023 12:14:42 +0100
id:87h6m7yrfh.fsf@gmail.com
https://lists.gnu.org/archive/html/guix-devel/2023-10
https://yhetil.org/guix/87h6m7yrfh.fsf@gmail.com
Well, this RFC proposal appears to me a good opportunity for clarifying
the scope. role. end-of-term, etc. about the Security Team.
Cheers,
simon
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Upgrading Guix's security team
2023-11-16 14:22 ` Ludovic Courtès
2023-11-16 15:15 ` Andreas Enge
2023-11-18 4:31 ` Maxim Cournoyer
@ 2024-02-05 19:34 ` Hartmut Goebel
2 siblings, 0 replies; 12+ messages in thread
From: Hartmut Goebel @ 2024-02-05 19:34 UTC (permalink / raw)
To: Guix Devel; +Cc: guix-maintainers, Ludovic Courtès, John Kehayias
Am 16.11.23 um 15:22 schrieb Ludovic Courtès:
> We could distinguish security issues in packages provided by Guix from
> security issues in Guix itself.
Maybe its also a good idea to add a security.txt to the website?
https://en.wikipedia.org/wiki/Security.txt "is meant to allow security
researchers to easily report security vulnerabilities".
Respective RFC: https://datatracker.ietf.org/doc/html/rfc9116
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel@crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2024-02-05 19:35 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-05 15:41 Upgrading Guix's security team John Kehayias
2023-11-16 14:22 ` Ludovic Courtès
2023-11-16 15:15 ` Andreas Enge
2023-11-18 4:31 ` Maxim Cournoyer
2023-11-18 19:18 ` Efraim Flashner
2023-11-22 18:16 ` Ludovic Courtès
2023-11-22 18:39 ` Leo Famulari
2023-11-22 19:02 ` Tobias Geerinckx-Rice
2023-12-09 10:55 ` Ludovic Courtès
2023-11-23 6:50 ` John Kehayias
2023-11-29 16:15 ` Simon Tournier
2024-02-05 19:34 ` Hartmut Goebel
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).