unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Christopher Baines <mail@cbaines.net>
Cc: guix-devel@gnu.org
Subject: Re: Security related tooling project
Date: Sat, 17 Apr 2021 17:20:13 +0200	[thread overview]
Message-ID: <87lf9hszte.fsf@gnu.org> (raw)
In-Reply-To: <874kgn4plq.fsf@cbaines.net> (Christopher Baines's message of "Sat, 03 Apr 2021 11:41:37 +0100")

Hello Chris!

Christopher Baines <mail@cbaines.net> skribis:

> In May last year (2020), I submitted an application to NLNet. The work I
> set out wasn't something I was doing at the time, but something I hadn't
> yet found time to work on, tooling specifically around security issues.
>
> The application got a bit lost, probably somewhat down to email issues
> on my end. Anyway, things picked up again in February of this year
> (2021), and this is now something I'm looking to do roughly over the
> next 8 months.

I’m late to the party, but I think this is excellent news!  Well done!

> 1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/

[...]

> In terms of looking at security from a project perspective, I'm thinking
> about these kinds of needs/questions:
>
>  - What security issues affect this revision of Guix? (latest or otherwise)
>
>  - How do Guix contributors find out about new security issues that
>    affect Guix revisions they're interested in?
>
> From the user perspective, I want to look at things like:
>
>  - How do I find out what (if any) security issues affect the software
>    I'm currently running (through Guix)?
>
>  - How can I get notified when a new security issue affects the software
>    I'm currently running (through Guix)?

That sounds like a great plan!

I see several “intermediate” issues that would be super helpful for the
overall project, such as better CPE matching as Léo suggested and/or
providing CPE suggestions: <https://issues.guix.gnu.org/42299>.

I think the Data Service is in a great position to help out
wrt. monitoring.  I think it’d be nice to architect things in a way that
services enhance monitoring, but are not required for get proper
monitoring.  For instance, the proposed ‘guix health’¹ can be
implemented without relying on intermediate services at all (it still
needs to rely on the NIST server, of course, but we don’t need extra
services.)

Anyhow, it’s awesome to see you work in this area.  Like Chris Marusich
wrote, Guix is in a good position to address security issues, and you’re
obviously in a very good position to know what and how to improve the
state of things in Guix, so all hail!

Ludo’.

¹ https://issues.guix.gnu.org/31442


  parent reply	other threads:[~2021-04-17 15:20 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-03 10:41 Security related tooling project Christopher Baines
2021-04-03 16:13 ` Security related tooling project OFF TOPIC PRAISE Joshua Branson
2021-04-04  8:17   ` Christopher Baines
2021-04-04 13:35     ` Joshua Branson
2021-04-03 21:44 ` Security related tooling project Léo Le Bouter
2021-04-04  8:24   ` Christopher Baines
2021-04-04  5:09 ` Chris Marusich
2021-04-04  8:27   ` Christopher Baines
2021-04-04 10:43     ` Xinglu Chen
2021-04-04 20:32     ` Chris Marusich
2021-04-17 15:20 ` Ludovic Courtès [this message]
2021-04-18  2:49   ` Bengt Richter
2021-04-23 20:34     ` Christopher Baines
2021-04-23 20:32   ` Christopher Baines

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87lf9hszte.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=mail@cbaines.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).