From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Craven Subject: Re: [PATCH 2/2] services: Add 'dropbear-service'. Date: Sat, 9 Jul 2016 23:31:41 +0200 Message-ID: References: <20160704205616.11599-1-david@craven.ch> <20160704205616.11599-2-david@craven.ch> <20160707172517.GA5283@jasmine> <20160709183206.GE2010@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52444) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLzqn-0008VA-AU for guix-devel@gnu.org; Sat, 09 Jul 2016 17:31:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bLzqj-0000F0-6F for guix-devel@gnu.org; Sat, 09 Jul 2016 17:31:48 -0400 Received: from mail-yw0-x242.google.com ([2607:f8b0:4002:c05::242]:36167) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bLzqh-0000Er-VQ for guix-devel@gnu.org; Sat, 09 Jul 2016 17:31:45 -0400 Received: by mail-yw0-x242.google.com with SMTP id y188so7108865ywf.3 for ; Sat, 09 Jul 2016 14:31:42 -0700 (PDT) In-Reply-To: <20160709183206.GE2010@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Maybe this could also be seen as a test of the quality of the documentation? But providing a example operating-system configuration shouldn't be a problem. ``` (use-modules (gnu)) (use-service-modules base networking ssh) (operating-system (host-name "builder") (timezone "Europe/Zurich") (locale "en_US.UTF-8") (bootloader (grub-configuration (device "/dev/vda"))) (file-systems (cons (file-system (device "/dev/vda1") (mount-point "/") (type "ext4")) %base-file-systems)) (users (cons (user-account (name "test") (group "users") (supplementary-groups '("wheel")) (home-directory "/home/dummy") (password "sa5JEXtYx/rm6")) ;; password is pass %base-user-accounts)) (services (cons* (dhcp-client-service) (dropbear-service) %base-services)) ) ``` On Sat, Jul 9, 2016 at 8:32 PM, Leo Famulari wrote: > On Sat, Jul 09, 2016 at 04:39:02PM +0200, David Craven wrote: >> Yeah, I should have better said I don't know instead of talking out of m= y ass. > > That's harsh! I'm not an expert either, but I have begun trying to > understand the assumptions that programs like SSH daemons make in their > security model. In some cases, they assume that /dev/urandom has been > properly seeded, which it typically is not after first boot. > >> All I can really do is trust that the people who write security >> related code know what they are doing. > > Right, but like I said above, we must make an effort to know the > assumptions they are making about the system. > >> Is there anything else holding this up? > > I'm not the best person to review new services =E2=80=94 they are still a= little > over my head. At least, I should not be the sole reviewer. > > In the meantime, can you provide an OS declaration (config.scm) that > makes use of dropbear-service so we can easily test it? > > I'd like for this to become standard practice when new services are > submitted for review.