unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Security related tooling project
@ 2021-04-03 10:41 Christopher Baines
  2021-04-03 16:13 ` Security related tooling project OFF TOPIC PRAISE Joshua Branson
                   ` (3 more replies)
  0 siblings, 4 replies; 14+ messages in thread
From: Christopher Baines @ 2021-04-03 10:41 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 2464 bytes --]

Hey,

In May last year (2020), I submitted an application to NLNet. The work I
set out wasn't something I was doing at the time, but something I hadn't
yet found time to work on, tooling specifically around security issues.

The application got a bit lost, probably somewhat down to email issues
on my end. Anyway, things picked up again in February of this year
(2021), and this is now something I'm looking to do roughly over the
next 8 months.

I've been working on stuff in and around Guix for I think around 5 years
now, and in that time I have attempted some big projects, particularly
things like the Guix Data Service and Guix Build Coordinator. I've fit
all of that around a regular non-Guix related work. The support of NLNet
means I'm able to set aside more time for Guix and this work, exactly
how much more time I can dedicate is something I'm still working on.

There's a more complete description of the aims and tasks here [1], this
email is effectively the start of the work. I want to get lots of input
and feedback on the plans I've set out, as well as checking if there's
any related or overlapping work going on.

1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/

I'm particularly excited by some of the initial work. I'm hoping getting
some initial version of Guix Data Service subscriptions in place will
open up loads of opportunities, and getting data about package
replacements (grafts) in to the Guix Data Service will be generally
helpful as well.

Once that's in place, I want to tackle 3 areas: security issues from a
project perspective, security issues from a individual user perspective
and prototype some enhancements to the patch review process,
specifically around security.

In terms of looking at security from a project perspective, I'm thinking
about these kinds of needs/questions:

 - What security issues affect this revision of Guix? (latest or otherwise)

 - How do Guix contributors find out about new security issues that
   affect Guix revisions they're interested in?

From the user perspective, I want to look at things like:

 - How do I find out what (if any) security issues affect the software
   I'm currently running (through Guix)?

 - How can I get notified when a new security issue affects the software
   I'm currently running (through Guix)?

Please let me know if you have any comments or questions!

Thanks,

Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-04-23 20:34 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-03 10:41 Security related tooling project Christopher Baines
2021-04-03 16:13 ` Security related tooling project OFF TOPIC PRAISE Joshua Branson
2021-04-04  8:17   ` Christopher Baines
2021-04-04 13:35     ` Joshua Branson
2021-04-03 21:44 ` Security related tooling project Léo Le Bouter
2021-04-04  8:24   ` Christopher Baines
2021-04-04  5:09 ` Chris Marusich
2021-04-04  8:27   ` Christopher Baines
2021-04-04 10:43     ` Xinglu Chen
2021-04-04 20:32     ` Chris Marusich
2021-04-17 15:20 ` Ludovic Courtès
2021-04-18  2:49   ` Bengt Richter
2021-04-23 20:34     ` Christopher Baines
2021-04-23 20:32   ` Christopher Baines

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).