From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cOU2FIt4aWBhuAAAgWs5BA (envelope-from ) for ; Sun, 04 Apr 2021 10:27:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id yCAsDot4aWDHNAAAB5/wlQ (envelope-from ) for ; Sun, 04 Apr 2021 08:27:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B84B8172F9 for ; Sun, 4 Apr 2021 10:27:54 +0200 (CEST) Received: from localhost ([::1]:41668 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSy6r-0000Yy-NJ for larch@yhetil.org; Sun, 04 Apr 2021 04:27:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44944) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSy6j-0000Yn-AK for guix-devel@gnu.org; Sun, 04 Apr 2021 04:27:45 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:43845) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSy6h-0007IU-M8 for guix-devel@gnu.org; Sun, 04 Apr 2021 04:27:45 -0400 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa]) by mira.cbaines.net (Postfix) with ESMTPSA id E29A327BC66; Sun, 4 Apr 2021 09:27:42 +0100 (BST) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 93f40eb0; Sun, 4 Apr 2021 08:27:42 +0000 (UTC) References: <874kgn4plq.fsf@cbaines.net> <87mtuebpq3.fsf@gmail.com> User-agent: mu4e 1.4.15; emacs 27.1 From: Christopher Baines To: Chris Marusich Subject: Re: Security related tooling project In-reply-to: <87mtuebpq3.fsf@gmail.com> Date: Sun, 04 Apr 2021 09:27:42 +0100 Message-ID: <87v992314x.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617524875; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=R0CKCW8fdi12E+E/eD5qQf5gAa74vboC4FYw30JVOFE=; b=IZtCxidjVGy6oeyApd9nH5ueZ411PIKTmxLal4rLk6aKbAlyPBbRIcSHEorEoWVb3fL1A1 VyNM/3ab+1hOo7QfSs7BC6c8bO7O9097sAlmgY8jxSv01fPo4s9Z/ivaQ4MTKVAgcUok5q OSQ91ONiwE88nQ7hLZkPj2f49I3wYoZYxRMWvZkjeH2e067pxkjCm+DZ1J3QpSGrXMeg5W jNl6IRT5lBQaIhv1W3yXseAB2410WupWZ7PVf5M0MC5ejF8/iSQackF+xaiAhbpTs28Mp+ C+wkCS4l6NuqBZRHXCGK5un4EEawSHfDJyWb5Sr8ZHDaEfNpSTTsDwuQdOlcWg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617524875; a=rsa-sha256; cv=none; b=GgdGX0fL6EGiI0/dxvx6e/ktmLlYYBG+Dp29I9C5OcOKjOHaUoX+79785lIDX4uqAvvUBq f0K8Sh4ktw+gin2Tywc1xDnEHHCLNj3lcP9MlX3vrotSuv8JQtkmtzTc6NUWwO1s7B7ESv 8o8FZOFvuf0T79/ZQcj4uG6w8nKWzCwV+d6tUnXfP8ApyVv9j99awkKdPZKiO1rBL0UBMK R2N65OIU1DwSrMEVtgJ2LlHf+7fs8MVXC7zxZqSILPvLb+DCPkUUjKyJCF0eaYT/Ki/4QW Kl8oxoRBHiWKkKuHjk0GgPyVONpeh9s0+MuGeKZVxO/KT2zqlmzNgJv1nRg6xw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.54 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B84B8172F9 X-Spam-Score: -4.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: 1NM379ItjwTR --=-=-= Content-Type: text/plain Chris Marusich writes: > Christopher Baines writes: > >> In terms of looking at security from a project perspective, I'm thinking >> about these kinds of needs/questions: >> >> - What security issues affect this revision of Guix? (latest or otherwise) >> >> - How do Guix contributors find out about new security issues that >> affect Guix revisions they're interested in? >> >> From the user perspective, I want to look at things like: >> >> - How do I find out what (if any) security issues affect the software >> I'm currently running (through Guix)? >> >> - How can I get notified when a new security issue affects the software >> I'm currently running (through Guix)? >> >> Please let me know if you have any comments or questions! > > I think this is a great plan! The last two points in particular are > particularly useful, I think. > > Everyone needs security. I think Guix is in a unique position where it > is so easy to modify packages that (in theory, at least) anyone who > cares can figure out how to submit a change to upgrade and fix security > vulnerabilities. > > People and companies are more likely to go out of their way to fix > packages they care about. Therefore, making it easy to identify > vulnerabilities in specifically the packages they care about, and making > it easier to get involved in the community to fix them, are important > goals. Cool :) While it's not directly security related, I really want the subscriptions functionality I'm planning to work on to be done so that people can subscribe to things related to the packages they use, like new versions becoming available, or the build breaking for example, as that might help people stay involved. Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBpeH5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xd5Zw/8CJBWHqNUqEdDNcaT4HYgApY3Bd/M4FR5 ONRucMAR0Glcz2Pd2FHzeolP2gB6Vh8t4vSJ+hdsjNooPoRYV4fpqkM2h6T/i2iU OTifBdX9oMKfGZh5TH/rTcw50XY+Q8vABivP1aE1gMAxyZWhDxbOO9uCiJar5giV m5gBTXWXdhQsxuZNYq5E3bGjl0hpe5c8N8yCBKHqu/1JIhtYOAz/tttbhZXQ0sUn 4hIOVN0mS8aoAroMwaww6iiq5Ye8ln5SfnrT49kSKR0qj3dhif9/7PNOa4EtK9OB EP1w0q1W1q4G6gjuv/wKV1+uK6k//awaWDt69yWxjFX90uGY1YANevRL0ZdKUuYL 5h7bkjyNbJ/ujr22mefbEtc1a0fKcLs7NVQn0gPGZyyTStXKzk2NJhNofQ3dESVv im7L7n8dmY+18W6rjPl3xiP2k+3LsaSNbiCnEfiIELAwwAaMZps6siBx/Xx9uZcV oiwlOcvKJt7e259ZlsED1EObfLifaugyK1Kd3DfF0kEEgYn0YxHkrBo12Vrglp6n w4jZSO0/w0FQ0aWhYVj9rJkgcig+d2QNfXX8FOFLwxxuY8UzKLgNGDx/zNvltjGq fReDir5I92+icKswJhRPICcOG1nA2yI/ZIrGuqHvZ9zvdXNMbQ4zI3v7Oz8wp38d QH5ULcRLkWs= =7CYe -----END PGP SIGNATURE----- --=-=-=--