Christopher Baines writes: > In terms of looking at security from a project perspective, I'm thinking > about these kinds of needs/questions: > > - What security issues affect this revision of Guix? (latest or otherwise) > > - How do Guix contributors find out about new security issues that > affect Guix revisions they're interested in? > > From the user perspective, I want to look at things like: > > - How do I find out what (if any) security issues affect the software > I'm currently running (through Guix)? > > - How can I get notified when a new security issue affects the software > I'm currently running (through Guix)? > > Please let me know if you have any comments or questions! I think this is a great plan! The last two points in particular are particularly useful, I think. Everyone needs security. I think Guix is in a unique position where it is so easy to modify packages that (in theory, at least) anyone who cares can figure out how to submit a change to upgrade and fix security vulnerabilities. People and companies are more likely to go out of their way to fix packages they care about. Therefore, making it easy to identify vulnerabilities in specifically the packages they care about, and making it easier to get involved in the community to fix them, are important goals. -- Chris