From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 9MLjEIwiamDKiwAAgWs5BA (envelope-from ) for ; Sun, 04 Apr 2021 22:33:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id CNXDCYwiamC9RAAAB5/wlQ (envelope-from ) for ; Sun, 04 Apr 2021 20:33:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 95A462729B for ; Sun, 4 Apr 2021 22:33:15 +0200 (CEST) Received: from localhost ([::1]:53758 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lT9Qo-0004cd-FR for larch@yhetil.org; Sun, 04 Apr 2021 16:33:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39290) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lT9QS-0004cS-Di for guix-devel@gnu.org; Sun, 04 Apr 2021 16:32:52 -0400 Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]:41675) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lT9QQ-0003Ud-P3 for guix-devel@gnu.org; Sun, 04 Apr 2021 16:32:52 -0400 Received: by mail-pj1-x1036.google.com with SMTP id gv19-20020a17090b11d3b029014c516f4eb5so3089205pjb.0 for ; Sun, 04 Apr 2021 13:32:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=qvcHoGKjpx+OVU+MLKn0AU3ONJcq5kDUvnU/vNV16PY=; b=tKbe3KOXf8o6GbPmMHCaV45cAHw7BHqSXVoYHy6JscPRX0TEKdqVZABO2mTsZCfDxF qrYG3n5m7+mIZ4ifIwnq1VnTzX9pvVmcMVX2zTWmmcMCiVk9afnipsGGyEjPjLwb8DBz dFDbkXx33/dmFbrZnfenun8wNN1vPXSiYOEx1tJfcdc58PG6Z3ynYhebW0Uyhe3jnOJo jjBb3B7RaGarvmyAsFb1ubcN5iLQSj1GesAbGsAgU/jZyVn5wwR4m19SbHkJMmB7iooC CezFLr1dWT3rFlmlV89IcqGFnlfjIOpjVgiub+TYMunZqfRgr/irVPO2WfGO39BaX8Mt zS/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=qvcHoGKjpx+OVU+MLKn0AU3ONJcq5kDUvnU/vNV16PY=; b=q99WqROQIaxgFWb5dkw4PBR0qB6AFjBZfcqlQ98uMOXia7V5nX9T1kI6Zvdrgy7cLp FRBTYm02t26X2u0o09mKSG+/NYest2OcPbZlfyp3SXBZqEFpAVCAXox9n15BuIy+7Fki +TlHFwA1kOYk9jfN0tRX/NkPNvPQFSLaYzHp0R8pVtPucqhbZlpDthi9MY0+pBen7dQX d5gW6k37N0MU1l5JpVYif/HwZPBUYbj+2TOwK4QpHRDOBawqugR/UVxXrWuao+x531Ak A2I3N2XfkhcnDHpai4JufY207uznJeGqEZf2z0VMXW9lISi79S5TjWViqnjh/Aju7iPP Ip+A== X-Gm-Message-State: AOAM532eV3d+3FD7EkrXQse6PL9Hs4HH/3Oldp09JpLsRZMZeZkpDRa0 WEANJypVJIcpRzdjWJ5bhOEl6z5lAC8= X-Google-Smtp-Source: ABdhPJxUxTe9slVniCYRtdbm2G7jAG/5L1FoTc05Zj21Dc7LE3hPA8kiT0Ex6nhjKl/cEq59g7NySA== X-Received: by 2002:a17:90a:bb02:: with SMTP id u2mr24146042pjr.175.1617568368486; Sun, 04 Apr 2021 13:32:48 -0700 (PDT) Received: from garuda-lan (c-24-18-44-142.hsd1.wa.comcast.net. [24.18.44.142]) by smtp.gmail.com with ESMTPSA id g12sm13571549pjd.57.2021.04.04.13.32.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Apr 2021 13:32:47 -0700 (PDT) From: Chris Marusich To: Christopher Baines Subject: Re: Security related tooling project References: <874kgn4plq.fsf@cbaines.net> <87mtuebpq3.fsf@gmail.com> <87v992314x.fsf@cbaines.net> Date: Sun, 04 Apr 2021 13:32:44 -0700 In-Reply-To: <87v992314x.fsf@cbaines.net> (Christopher Baines's message of "Sun, 04 Apr 2021 09:27:42 +0100") Message-ID: <87eefpbxjn.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2607:f8b0:4864:20::1036; envelope-from=cmmarusich@gmail.com; helo=mail-pj1-x1036.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617568395; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=qvcHoGKjpx+OVU+MLKn0AU3ONJcq5kDUvnU/vNV16PY=; b=sBIycS1m9KgPfSqXR4RqR8jAWTZRwSD8S5YSkCFul6KZgYzHya3yjuAN7sEMuSd0vOcYAM 60OjC1auRF44CHKwP+SUTUCslP6RXz40H0hOMYSEXwuDtkJa0qBEk9SF3C+V7e/lwFyKu/ I5mM4MPqGId6eewZo8cBRVOfJPY+1/Gb3Zc4elRh6kS+1P6b+v25TWoCiL0K96uWZb/fHO FeNOwVnFf8BsAD/i43oW81ncTrCETU3PZSZpNxDdeJotE2ktOoWr+s9/e6TEpoJWOmGy92 5CDr+efhXsmcPqywqX49NPyaEz7GESVuZ4IAigNih6qkWUmGJCNU/oTMsNbxLw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617568395; a=rsa-sha256; cv=none; b=kekMQRzJOZabyUy0pqbDnmh6wVxKOT6GOG/bsj98BUEg3U2De8zMHXyBp2nyeimGBeGZuX ow2pFUCf/Wthune54Yic4L178gHeW6RVpLpvSTsSW37WrhBSOPZIEtbJihxfLmjS1rR+Mi 55wsnWcKhSvITwNG+gAMM9V0xHOmLY9e+LfnjQXY8O9nA1cHCUYhWt9GC2jG4GS+PRdXff V0YPklJvPDZkuka/7z10KIliQgI6MuL1AAIrMcZNTl/sfjDdpPajg/WQlEbJThXDbvSE6k 8Eqmg4cJHKXu/1GyYIN6KeW0kWIg8/GIBNOwQWo9OIZya5ajxSjeRVV5Tt5DSA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=tKbe3KOX; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.74 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=tKbe3KOX; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 95A462729B X-Spam-Score: -2.74 X-Migadu-Scanner: scn0.migadu.com X-TUID: oAsgGvDuLZNz --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Christopher Baines writes: > Chris Marusich writes: > >> Christopher Baines writes: >> >>> In terms of looking at security from a project perspective, I'm thinking >>> about these kinds of needs/questions: >>> >>> - What security issues affect this revision of Guix? (latest or otherw= ise) >>> >>> - How do Guix contributors find out about new security issues that >>> affect Guix revisions they're interested in? >>> >>> From the user perspective, I want to look at things like: >>> >>> - How do I find out what (if any) security issues affect the software >>> I'm currently running (through Guix)? >>> >>> - How can I get notified when a new security issue affects the software >>> I'm currently running (through Guix)? >>> >>> Please let me know if you have any comments or questions! >> >> I think this is a great plan! The last two points in particular are >> particularly useful, I think. >> >> Everyone needs security. I think Guix is in a unique position where it >> is so easy to modify packages that (in theory, at least) anyone who >> cares can figure out how to submit a change to upgrade and fix security >> vulnerabilities. >> >> People and companies are more likely to go out of their way to fix >> packages they care about. Therefore, making it easy to identify >> vulnerabilities in specifically the packages they care about, and making >> it easier to get involved in the community to fix them, are important >> goals. > > Cool :) While it's not directly security related, I really want the > subscriptions functionality I'm planning to work on to be done so that > people can subscribe to things related to the packages they use, like > new versions becoming available, or the build breaking for example, as > that might help people stay involved. Yes, that would be cool. I can imagine various ways that a user could get information like this. For instance, just as how the news entries tell you what's new when you "guix pull," perhaps we could add something similar (optional?) for when you install packages, like: "Hey, I see you're using packages Foo and Bar. New versions are available! They are affected by these CVEs! Run "guix refresh" from a checkout to try upgrading them!" and so on. Another option could be to add some sort of functionality to Cuirass (does it already exist?) or the Guix Data Service which allows one to create a custom RSS feed or atom feed or similar. Imagine crafting a URL that says "This is my search query - spit out an RSS feed showing me what's going on recently with these packages". I know some wiki-style software features something like this, where you can encode a search query into a URL, and it will spit out a dynamically created RSS feed. Another idea is: just as "guix lint" can report CVEs, perhaps the code could be adapted to enable a command that lets you lint an already-installed profile to inform you about what CVEs or updates are available for that specific collection of installed software. This could be used as a "security scanner", where you can "scan" some installed profiles to see what's vulnerable on a system. Simply keeping the package definitions up to date is half the battle; actually upgrading them on systems you care about is the other half... Just some ideas. Perhaps one resonates with you; if not, that's fine too! Maybe the UI is the easier part, and the mechanism of reliably determining what has changed, what security updates are available, etc., is harder. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmBqImwVHGNtbWFydXNp Y2hAZ21haWwuY29tAAoJEN1AmhXYIkadgb4P/RfSQIsm4Xr0UnR8rF7MaNnvw0cZ AXQIkiRpq/Y6ZGMUiYSnnhpzeA6JKXBvU/AYUzxka/YSebOvb/2BoMjCjZ6SdpQi 7NFPWYpd7zaEl4lzjfjltwqfdtPB3Z/ZxCTFtUmgLvPbVMydnPGG/dyHtvIU3ULI CukV3qW/ES2A7GRPdH2xeOkYo8lvWgY1IARf0DRMvWGIhliqYkV/ao3huNm5cch3 xUBSfx2+vcfM8dr6dAx6K5aHU0QbZ5ldvrOjnAtsUxRIU67f4jh/sTWVRi5P/CL6 m9z0YbDEyVp/ZVfiiHWPDpf+kjXT4viS6JDfHKeJEXD7IeH08JsbhWZgEVmPCK30 sm2/3kxy+mQq5cUmJzT6m5JGtBRzVMjv8/ULsXEgu76b7buXg1io7zqSrK/uDFvG 0sfRpo68oCCUO1Z+S+tuSUqfxcs57TYazIjQ4OpSp8m/2JPM3GxJoflYEpGMQ0CE KreRsT6Y1KBgfCJ1EAB+bYdyxDp8hORbY1HFMHNNbv1jTCH3OT5K1eTJ1ifH3jLz epdJ5TE/AenDJ/i22v8d+vgEqQIz+6fB7j6e8v9aA53qYTKJR7+kuv2teoM/93pa lz27wnxWaHWQZ7BDqVfOPl2XFOkeKazjkEa1FunhOJy466CJFgA/7uMtEhN3bl7V 91XPJ3WIy0Tlll1P =cWuN -----END PGP SIGNATURE----- --=-=-=--