Re: Security related tooling project

[Chris Marusich <cmmarusich@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3636 bytes --]

Christopher Baines <mail@cbaines.net> writes:

> Chris Marusich <cmmarusich@gmail.com> writes:
>
>> Christopher Baines <mail@cbaines.net> writes:
>>
>>> In terms of looking at security from a project perspective, I'm thinking
>>> about these kinds of needs/questions:
>>>
>>>  - What security issues affect this revision of Guix? (latest or otherwise)
>>>
>>>  - How do Guix contributors find out about new security issues that
>>>    affect Guix revisions they're interested in?
>>>
>>> From the user perspective, I want to look at things like:
>>>
>>>  - How do I find out what (if any) security issues affect the software
>>>    I'm currently running (through Guix)?
>>>
>>>  - How can I get notified when a new security issue affects the software
>>>    I'm currently running (through Guix)?
>>>
>>> Please let me know if you have any comments or questions!
>>
>> I think this is a great plan! The last two points in particular are
>> particularly useful, I think.
>>
>> Everyone needs security.  I think Guix is in a unique position where it
>> is so easy to modify packages that (in theory, at least) anyone who
>> cares can figure out how to submit a change to upgrade and fix security
>> vulnerabilities.
>>
>> People and companies are more likely to go out of their way to fix
>> packages they care about.  Therefore, making it easy to identify
>> vulnerabilities in specifically the packages they care about, and making
>> it easier to get involved in the community to fix them, are important
>> goals.
>
> Cool :) While it's not directly security related, I really want the
> subscriptions functionality I'm planning to work on to be done so that
> people can subscribe to things related to the packages they use, like
> new versions becoming available, or the build breaking for example, as
> that might help people stay involved.

Yes, that would be cool.  I can imagine various ways that a user could
get information like this.  For instance, just as how the news entries
tell you what's new when you "guix pull," perhaps we could add something
similar (optional?) for when you install packages, like: "Hey, I see
you're using packages Foo and Bar.  New versions are available!  They
are affected by these CVEs!  Run "guix refresh" from a checkout to try
upgrading them!" and so on.

Another option could be to add some sort of functionality to Cuirass
(does it already exist?) or the Guix Data Service which allows one to
create a custom RSS feed or atom feed or similar.  Imagine crafting a
URL that says "This is my search query - spit out an RSS feed showing me
what's going on recently with these packages".  I know some wiki-style
software features something like this, where you can encode a search
query into a URL, and it will spit out a dynamically created RSS feed.

Another idea is: just as "guix lint" can report CVEs, perhaps the code
could be adapted to enable a command that lets you lint an
already-installed profile to inform you about what CVEs or updates are
available for that specific collection of installed software.  This
could be used as a "security scanner", where you can "scan" some
installed profiles to see what's vulnerable on a system.  Simply keeping
the package definitions up to date is half the battle; actually
upgrading them on systems you care about is the other half...

Just some ideas.  Perhaps one resonates with you; if not, that's fine
too!  Maybe the UI is the easier part, and the mechanism of reliably
determining what has changed, what security updates are available, etc.,
is harder.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]