Christopher Baines writes: > Chris Marusich writes: > >> Christopher Baines writes: >> >>> In terms of looking at security from a project perspective, I'm thinking >>> about these kinds of needs/questions: >>> >>> - What security issues affect this revision of Guix? (latest or otherwise) >>> >>> - How do Guix contributors find out about new security issues that >>> affect Guix revisions they're interested in? >>> >>> From the user perspective, I want to look at things like: >>> >>> - How do I find out what (if any) security issues affect the software >>> I'm currently running (through Guix)? >>> >>> - How can I get notified when a new security issue affects the software >>> I'm currently running (through Guix)? >>> >>> Please let me know if you have any comments or questions! >> >> I think this is a great plan! The last two points in particular are >> particularly useful, I think. >> >> Everyone needs security. I think Guix is in a unique position where it >> is so easy to modify packages that (in theory, at least) anyone who >> cares can figure out how to submit a change to upgrade and fix security >> vulnerabilities. >> >> People and companies are more likely to go out of their way to fix >> packages they care about. Therefore, making it easy to identify >> vulnerabilities in specifically the packages they care about, and making >> it easier to get involved in the community to fix them, are important >> goals. > > Cool :) While it's not directly security related, I really want the > subscriptions functionality I'm planning to work on to be done so that > people can subscribe to things related to the packages they use, like > new versions becoming available, or the build breaking for example, as > that might help people stay involved. Yes, that would be cool. I can imagine various ways that a user could get information like this. For instance, just as how the news entries tell you what's new when you "guix pull," perhaps we could add something similar (optional?) for when you install packages, like: "Hey, I see you're using packages Foo and Bar. New versions are available! They are affected by these CVEs! Run "guix refresh" from a checkout to try upgrading them!" and so on. Another option could be to add some sort of functionality to Cuirass (does it already exist?) or the Guix Data Service which allows one to create a custom RSS feed or atom feed or similar. Imagine crafting a URL that says "This is my search query - spit out an RSS feed showing me what's going on recently with these packages". I know some wiki-style software features something like this, where you can encode a search query into a URL, and it will spit out a dynamically created RSS feed. Another idea is: just as "guix lint" can report CVEs, perhaps the code could be adapted to enable a command that lets you lint an already-installed profile to inform you about what CVEs or updates are available for that specific collection of installed software. This could be used as a "security scanner", where you can "scan" some installed profiles to see what's vulnerable on a system. Simply keeping the package definitions up to date is half the battle; actually upgrading them on systems you care about is the other half... Just some ideas. Perhaps one resonates with you; if not, that's fine too! Maybe the UI is the easier part, and the mechanism of reliably determining what has changed, what security updates are available, etc., is harder. -- Chris