From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Call for volunteer(s) for Guix "security" web page Date: Tue, 27 Sep 2016 10:58:09 +0200 Message-ID: <87ponp90ta.fsf@gnu.org> References: <20160916161458.GA17780@jasmine> <20160925225248.GA13131@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36209) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1booDS-0004Ng-0S for guix-devel@gnu.org; Tue, 27 Sep 2016 04:58:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1booDN-0001I9-S2 for guix-devel@gnu.org; Tue, 27 Sep 2016 04:58:17 -0400 In-Reply-To: <20160925225248.GA13131@jasmine> (Leo Famulari's message of "Sun, 25 Sep 2016 18:52:48 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hi Leo, Thanks a lot both for sending the call and replying to it! :-) > From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Sun, 25 Sep 2016 18:43:28 -0400 > Subject: [PATCH] www: security: New page. > > * website/www/security.scm: New file. > * website/www.scm (%web-pages): Add security-page. > * website/www/shared.scm (html-page-links): Add "Security". [...] > + (h2 "How to report security issues") > + (p "To report sensitive security issues in Guix itself or= the packages it " > + "provides, you can write to the private mailing list " > + (a (@ (href "https://lists.gnu.org/mailman/listinfo/gu= ix-security")) > + ("guix-security@gnu.org")) > + ". This list is monitored by a small team of Guix " > + "developers.") > + (h2 "Release signatures") > + (p "Releases of Guix and GuixSD are signed using the Open= PGP " > + "key with the fingerprint " > + "3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5. " > + "This key can be obtained from XXX.") Maybe link to or copy/paste the text? Though we should give a =E2=80=98gpg --recv-keys= =E2=80=99 command that uses the full fingerprint instead of just the 64-bit ID (which is still too small, some say.) > + (h2 "Security updates") > + (p "When security vulnerabilities are found in Guix or th= e " > + "packages provided by Guix, we will provide " > + (a (@ (href ,(base-url "manual/html_node/Security-Upda= tes.html"))) > + "security updates") > + " quickly and with minimal disruption for users.") Maybe also that Guix is a =E2=80=9Crolling release=E2=80=9D, so there=E2=80= =99s currently no separate security-fix branch and all critical fixes go to master? I guess you can already commit that! I wonder if it would make sense to add a note on reproducible builds, =E2=80=98guix challenge=E2=80=99 and all that; later maybe! Note that you=E2=80=99ll then need to commit the resulting HTML to CVS(!) to that the update pages show up, as per the instructions available on the Savannah project page. If you=E2=80=99re unsure or anything, I can do that. Thank you! Ludo=E2=80=99.