unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: ng0 <ngillmann@runbox.com>
To: Leo Famulari <leo@famulari.name>, guix-devel@gnu.org
Subject: Re: Call for volunteer(s) for Guix "security" web page
Date: Thu, 22 Sep 2016 10:04:37 +0000	[thread overview]
Message-ID: <87lgykmeru.fsf@we.make.ritual.n0.is> (raw)
In-Reply-To: <20160916161458.GA17780@jasmine>

Hi,

I think this is a good idea, thanks for bringing this up.

Leo Famulari <leo@famulari.name> writes:

> Hello!
>
> GNU Guix should make it easier for bug reporters to contact us to report
> issues in Guix and Guix packages.
>
> So, we'd like to add a short "Security" page to our web site [0]. This
> page should:

I think we (you?) should post this (not cross post / CC) to other lists
as well, to gain some more attraction.

> 1) Explain how to contact us privately about security issues [1],
>
> 2) Describe the Guix release signing key [2],
>
> 3) And include a link to the security updates section of the manual [3].
>
> The page should be clear and concise. The main objectives are to make it
> easy for bug reporters to learn how to contact us, and to make it easy
> for anyone to know which key is used to sign our downloads.

In my opinion this could be extended later by something similar to
https://security.gentoo.org/ and its subpages.
As we don't have much on that topic currently, we can't write about
it. If this would be too much for the website, an inclusion in the
manual of which security measurements a vanilla Guix offers would be
good.
One example: I stumbled upon our /dev/mem configuration only when I
wanted to use flashrom for internal flashing. This is not documented
anywhere.

> Does anyone volunteer to make this page?
>
> I like this example, although it does some things we don't plan to do at
> this time, such as provide a key for securely contacting the project,
> and explain how to use GnuPG:
>
> https://syncthing.net/security.html
>
> [0] Our web site is maintained in guix-artwork.git:
> git://git.savannah.gnu.org/guix/guix-artwork.git
>
> [1] Private communication should go to <guix-security@gnu.org>
> https://lists.gnu.org/mailman/listinfo/guix-security
>
> [2] The key should be described by the key fingerprint.
> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
>
> [3]
> https://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

-- 
              ng0

  reply	other threads:[~2016-09-22 10:05 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-16 16:14 Call for volunteer(s) for Guix "security" web page Leo Famulari
2016-09-22 10:04 ` ng0 [this message]
2016-09-27 18:04   ` Leo Famulari
2016-09-25 22:52 ` Leo Famulari
2016-09-27  8:58   ` Ludovic Courtès
2016-09-27 18:16     ` Leo Famulari
2016-09-28 21:08       ` Ludovic Courtès
2016-09-27 18:26     ` Leo Famulari
2016-09-28 21:07       ` Ludovic Courtès
2016-09-29 15:04       ` Leo Famulari
2016-09-30 12:08         ` Ludovic Courtès
2016-09-30 18:06           ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87lgykmeru.fsf@we.make.ritual.n0.is \
    --to=ngillmann@runbox.com \
    --cc=guix-devel@gnu.org \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).