From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sFa/Ai9KaWDQUgAAgWs5BA (envelope-from ) for ; Sun, 04 Apr 2021 07:10:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EAJCOC5KaWCubQAA1q6Kng (envelope-from ) for ; Sun, 04 Apr 2021 05:10:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9B65F1307F for ; Sun, 4 Apr 2021 07:10:06 +0200 (CEST) Received: from localhost ([::1]:58346 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSv1R-00031K-PU for larch@yhetil.org; Sun, 04 Apr 2021 01:10:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50186) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSv0w-00031A-2f for guix-devel@gnu.org; Sun, 04 Apr 2021 01:09:34 -0400 Received: from mail-pj1-x102d.google.com ([2607:f8b0:4864:20::102d]:44026) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSv0u-0003pl-MY for guix-devel@gnu.org; Sun, 04 Apr 2021 01:09:33 -0400 Received: by mail-pj1-x102d.google.com with SMTP id x21-20020a17090a5315b029012c4a622e4aso4338749pjh.2 for ; Sat, 03 Apr 2021 22:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=1H84agRPIlxq4edZkhq+acpL33Z6q2Sycj2JQbTx3zI=; b=db3yLPEQmJ+m5OKwrWdg/kI7nj+9x0nWDs5uMiEI/s5cyt2nk6Dg8mGNEPq7Ev56FV i6S4kTILzRvBi9h9NzdpypHwpGPKKVOBzx/pZGfPQ5/5BzVWCiOdm72L2TCaxqmdItct +HjQh3kMuqwnYqg7jw9GFx9IxVTu7mXXY2LNyRzMwqD+XRge9BSWCisbgll6hqHKHFko yRAl84HomfWj96tVeLi8fFl07kVDJx7tHRuZmWypP57LDJOwWTZcnnie5RjOEXXpQUhe W0YT2euKHxJFAwpk8Qn4rYS9bSTM/jWB/yQWl6HkKdMdKZQnUqo+89Ag944yP1vOLY9F UDLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=1H84agRPIlxq4edZkhq+acpL33Z6q2Sycj2JQbTx3zI=; b=f3tMucxnNc/IorRgxUkTqOvjRpDDMgdEKeYdZNvRYzWKB8uj/RF7zoJOp4Ys1MaA5N kbURakvdz/ZSDk5QvyKJs2utumnJYIejA7jW8ZruF6vV+/3+PJI8u40ugUqJ6nZhXboV InhOpgw4eFaXkdmNwj7TWM8hbAYb4xgKDziob/vlYmxi+QeU1yNcW8RHGraYzw+Z04gC uObZ5TUuwp8m49x7Rl5DsBtcupTKZDwCxSaLXDLk0VIofE4R+upFv9lgh+kUDUESnr// NDRVgQ2xqMz0ISYn3wIHuWZxY+sNeuVKifhN0mBgCCPNcgchIQi+JsJ7y61vUXwkKq6b 358w== X-Gm-Message-State: AOAM531BGsxo6N94ztKHGL4hwRIdjuvfcJaHy6UIfv7V4tClI2gJeHhh sNgqFTvUHf7FipL5oUQniQ1cQxafn+k= X-Google-Smtp-Source: ABdhPJwp/QDmYdMjbDd1aX0s6ZkQi2UD3is2YfZergyfeCYeZf3ZTtGcihFiuK37NbIS8qpPXpeN3g== X-Received: by 2002:a17:902:7c06:b029:e6:adb4:7c19 with SMTP id x6-20020a1709027c06b02900e6adb47c19mr19102577pll.8.1617512970210; Sat, 03 Apr 2021 22:09:30 -0700 (PDT) Received: from garuda-lan (c-24-18-44-142.hsd1.wa.comcast.net. [24.18.44.142]) by smtp.gmail.com with ESMTPSA id 15sm12090919pfx.167.2021.04.03.22.09.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 Apr 2021 22:09:29 -0700 (PDT) From: Chris Marusich To: Christopher Baines Subject: Re: Security related tooling project References: <874kgn4plq.fsf@cbaines.net> Date: Sat, 03 Apr 2021 22:09:24 -0700 In-Reply-To: <874kgn4plq.fsf@cbaines.net> (Christopher Baines's message of "Sat, 03 Apr 2021 11:41:37 +0100") Message-ID: <87mtuebpq3.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2607:f8b0:4864:20::102d; envelope-from=cmmarusich@gmail.com; helo=mail-pj1-x102d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617513006; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=1H84agRPIlxq4edZkhq+acpL33Z6q2Sycj2JQbTx3zI=; b=d5lVExm/88GzAYpxGQtmWeu1/yJ0FJNh3ZlUCpEi+G0DqEvdGf7A3FTvWNUnLUPS08wkmV 2twbgCPJaar2JrZHofXAe2GlXHqTCfrc8DENiEpeF70QFUWXOZJS3BWAVR9PqSdROuPwCA DvipcgKXWDa1fOCtRxI7QzmLvTkdoQ/P5sLT8fqEGXYszXO9Jh2vf6saqM1NCWydI51wF/ sKnWGohkiSWdIWwO8qIGRe+HFs3pBi/B6XMjwIFtLTj3T0MZNBiRoY4C9QObKu00TMX3XO aE2AV2PiKAwRBUrTWSVGh0WNc9aSmIrNn12cxbk1hySxDo0E3ll6V3ZlFGAeeg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617513006; a=rsa-sha256; cv=none; b=JTWG6uNnfFv3TujLpCqN454H5FbwCtouiq1qzubkBMJOI2buIHvKI89bpzMJeti2k5iwiI 49NrHrZ2Yt+MxCbOMkbrSVmEnnJrmkzy+eI4ooeIWkT+KgKNKoUTZTFYJkGrFm4AYgO0IL 45EkP77m1Dh9szpmpF0Wnv1FSq2cylErRJFf4hCsfxJ2LKi33qMzCRP9y9hC+Ajb+atLpR ZWRwgL5NX9Lsn5ECWqYrCqxQ6v2eb2jRtb0WMShi4Pty/gFGN5Zr21uDHrsmsPFbm1hd1r j7Cppnk2PMbSCxlCwQVro1Y6KDmLzhJc/4XiOL977Vupe5SwIZhH+o1+EVh5kQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=db3yLPEQ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.74 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=db3yLPEQ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9B65F1307F X-Spam-Score: -2.74 X-Migadu-Scanner: scn0.migadu.com X-TUID: 5t76/KmNp8O/ --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Christopher Baines writes: > In terms of looking at security from a project perspective, I'm thinking > about these kinds of needs/questions: > > - What security issues affect this revision of Guix? (latest or otherwis= e) > > - How do Guix contributors find out about new security issues that > affect Guix revisions they're interested in? > > From the user perspective, I want to look at things like: > > - How do I find out what (if any) security issues affect the software > I'm currently running (through Guix)? > > - How can I get notified when a new security issue affects the software > I'm currently running (through Guix)? > > Please let me know if you have any comments or questions! I think this is a great plan! The last two points in particular are particularly useful, I think. Everyone needs security. I think Guix is in a unique position where it is so easy to modify packages that (in theory, at least) anyone who cares can figure out how to submit a change to upgrade and fix security vulnerabilities. People and companies are more likely to go out of their way to fix packages they care about. Therefore, making it easy to identify vulnerabilities in specifically the packages they care about, and making it easier to get involved in the community to fix them, are important goals. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAmBpSgUVHGNtbWFydXNp Y2hAZ21haWwuY29tAAoJEN1AmhXYIkaducAP/RigcM6cUbqTUyTVqV2hYYS2Z8ia 2jIsT3AtW7/2+v7YQ7dlQC0OUICFTwTwNlqMTRfJcZ5fHH91+7va78+BpfB7sVFW XONoWGUmh57hEdbFWhZyt5i1N3hNxGrzy9aajGYGb0YFTSpTqpZ/w7bHeTcWeLwN B4riCvzCI6B/hqxSgBV0EaaaX0SQWzG0W6cQVHiedc+AEl5Pnb+36/+SaLZg7NiI vqn8XDp5KJvTmIa5Rk3ty4o/tPUHaVyuZGNTotTFCuZq6FXvjujSMG6sLlh0vTR2 LW+VDU1s+jtHpSE1T0dJK3PwGQmnENQXingUi15PGrf5dEFAlW6LNfn3To4Rfl/j uwOumg7bZOt5nTWBrH21TLqsB20yiGnGKZSC9MN03crbcmZyz9aOaTLZG8litpeB J/ZGHAjV3KVI6nDeQaUhgwPIC6S1iRnoKhjAPjURnnvdPKSVZHRkS3Sj1cmI5Eoe WBVB7V+BkqhaTWB4U45qROtPLLefTc2ebJWX5dYenpvGckUeyKHFYnp4yykJBx42 kcDqcRsgFNf1mf2zN+ZKwPp/X/crtaTUOo54NhgAALV6IldeGlEvZ7IH97+qXxFr 4v+zvy38hGCXRstbD+JfBzAjU8u8OHrmMHgRxvlv3HoPjyQz5yVZo5ZShylkCGDj iB2axRZxca0UAieP =alrx -----END PGP SIGNATURE----- --=-=-=--