From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ENtLLUUvg2AcMAEAgWs5BA (envelope-from ) for ; Fri, 23 Apr 2021 22:34:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QJAGKUUvg2D7AwAA1q6Kng (envelope-from ) for ; Fri, 23 Apr 2021 20:34:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6866015846 for ; Fri, 23 Apr 2021 22:34:13 +0200 (CEST) Received: from localhost ([::1]:59984 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1la2VA-0002W4-KK for larch@yhetil.org; Fri, 23 Apr 2021 16:34:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52640) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1la2TZ-0001CB-SG for guix-devel@gnu.org; Fri, 23 Apr 2021 16:32:34 -0400 Received: from mira.cbaines.net ([212.71.252.8]:34568) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1la2TU-0003aa-Li; Fri, 23 Apr 2021 16:32:33 -0400 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa]) by mira.cbaines.net (Postfix) with ESMTPSA id 0373827BC7C; Fri, 23 Apr 2021 21:32:27 +0100 (BST) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 18ac0912; Fri, 23 Apr 2021 20:32:26 +0000 (UTC) References: <874kgn4plq.fsf@cbaines.net> <87lf9hszte.fsf@gnu.org> User-agent: mu4e 1.4.15; emacs 27.1 From: Christopher Baines To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Security related tooling project In-reply-to: <87lf9hszte.fsf@gnu.org> Date: Fri, 23 Apr 2021 21:32:26 +0100 Message-ID: <87h7jwhhd1.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=212.71.252.8; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619210053; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=ri6n16dZkxad3BxFqqaXkImfjjZ30uwplxEiwaiisVY=; b=fz5cAIH7Lv83D2nkpkfYtp2WoAEHfLB9IaDphMnh+CnEFg0HZJR0hIFGUJEEDGd2BRFtnZ KG1z4tw1LtJ7381Ge5HmtOt4e0x7UYQsTfPgUKBENaCEQnETI5elxqxmkYFvQeFLN1KPwR jdDq7ivRKzn3zh0+wtlG8nXUonIrPfud/OL5x2PV3CugW+ibowji6hKL1zQM4WDW69xBw+ uHBm9UJC7tyfngEsscBH/LECxW+KASCmj+Curd2zQ1QNnZDH36BauQx3ldIQjysXnhGhiD FDI/7UbQhWNyaPaOjhsMl8g9TmJS+w1BrEkl5FyjFwQdaV6mxA3M5+HE23/wWQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619210053; a=rsa-sha256; cv=none; b=bDjStj5QyrgOrpCfpmao/hijCf6MfaAyGmd2yyhCMxsydUI8GUpvfMM1lxTGj8W5cgGik1 r/M6kGgBdKddim9G9XPz7sGPtzK+ntiD65l3J+F4m6VWrTcARKatHeI9ussqFXG8aui1Lg PyB1v0CyXaAKHp/WtXaz2g6VgKiK8iMsyFY23U/oaEQOjx+aB1mCfWXiDVBCZritMU37yw IH1aIwi/RtqzDnejPCXi2DVQk8Eul/ZXzTBQX8Obdicm9aXQiQo5pHLNzySiuoNZLS+Ask mFpuJAKZobvZZp2XyxO1t+59KA2OaPadj+gerObJR46uBoQbgFGPeqstoIrZ5g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.54 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6866015846 X-Spam-Score: -4.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: k8a9Fk+sFnEO --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hello Chris! > > Christopher Baines skribis: > >> In May last year (2020), I submitted an application to NLNet. The work I >> set out wasn't something I was doing at the time, but something I hadn't >> yet found time to work on, tooling specifically around security issues. >> >> The application got a bit lost, probably somewhat down to email issues >> on my end. Anyway, things picked up again in February of this year >> (2021), and this is now something I'm looking to do roughly over the >> next 8 months. > > I=E2=80=99m late to the party, but I think this is excellent news! Well = done! > >> 1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/ab= out/ > > [...] n> >> In terms of looking at security from a project perspective, I'm thinking >> about these kinds of needs/questions: >> >> - What security issues affect this revision of Guix? (latest or otherwi= se) >> >> - How do Guix contributors find out about new security issues that >> affect Guix revisions they're interested in? >> >> From the user perspective, I want to look at things like: >> >> - How do I find out what (if any) security issues affect the software >> I'm currently running (through Guix)? >> >> - How can I get notified when a new security issue affects the software >> I'm currently running (through Guix)? > > That sounds like a great plan! > > I see several =E2=80=9Cintermediate=E2=80=9D issues that would be super h= elpful for the > overall project, such as better CPE matching as L=C3=A9o suggested and/or > providing CPE suggestions: . > > I think the Data Service is in a great position to help out > wrt. monitoring. I think it=E2=80=99d be nice to architect things in a w= ay that > services enhance monitoring, but are not required for get proper > monitoring. For instance, the proposed =E2=80=98guix health=E2=80=99=C2= =B9 can be > implemented without relying on intermediate services at all (it still > needs to rely on the NIST server, of course, but we don=E2=80=99t need ex= tra > services.) > > Anyhow, it=E2=80=99s awesome to see you work in this area. Like Chris Ma= rusich > wrote, Guix is in a good position to address security issues, and you=E2= =80=99re > obviously in a very good position to know what and how to improve the > state of things in Guix, so all hail! That's good to hear! Thanks, Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmCDLtpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xf8Wg//db6pKxqfeXLpA6lclQrwX+aLNsyhy9mT bTysIySSLPdvN5/ZUZZvMuu7yonY+O7hSr81G/WJ/6CKyC5MCp4Q50Wge4JqbZD4 51B7KuukD8CYP616re3t/n7uqiJr7VIaczUL/rL/Xf1g/0Tcwfp1K3LTKKStRRGp MiQypR2gTH8aWuFv46mTn/oXz7pYpMBPW6Fnu4mGDvSecsTl1Cz3R0dqzt3pEw6v ufGAtk+2m2/NzI28m8nZjSW11MRfrXRGCtNAfJVV3fjlB5mDI/rVipNvtvv3BuHt x3+/SSP3cFgkfZ166PUBEXGz2OC3acgG9k5XAmc2NOlWbRIlZ+J7pXWnc6XHp8yA vOMIraMHZZ4PU4LkTPftrp/4CYeFRlPTC/V6Zymh3T/ZY3yHUPCERMJyljeyBWui QGwQwjopXAHWUGqICVsSG0Zdlyls0CwtvDP5mmTWdRTueZYouF1OAq8ZY6IURP60 B5iTIAdeguSCekZld1BvPYjDSzJ0aSXc1Ws9Vvpttt5FD499gW00kkZuwBLZcvOI qp1ZFAesn47hsc64chCcGh+3qS4aBGveWydS2srLRln4Pet8/exrzC7xWHrm9eez ydVaUxu+ikaK3OU9Ir0Hrd1lNiOoYtFBPLMkA2uwGiDy+tugQd5sKKE8fRTrd4yd aqjDxpcCpbo= =UP8L -----END PGP SIGNATURE----- --=-=-=--