From: Efraim Flashner <efraim@flashner.co.il>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: "Ludovic Courtès" <ludo@gnu.org>,
"John Kehayias" <john.kehayias@protonmail.com>,
"Guix Devel" <guix-devel@gnu.org>,
guix-maintainers@gnu.org
Subject: Re: Upgrading Guix's security team
Date: Sat, 18 Nov 2023 21:18:58 +0200 [thread overview]
Message-ID: <ZVkOImLzTsiIw8GM@3900XT> (raw)
In-Reply-To: <8734x3d6mq.fsf@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3556 bytes --]
On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
> Hi,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
> > Yes, we definitely need a rotation here! I for one have my name there
> > but regardless of my interest, I have to admit that I’ve been unable to
> > be sufficiently responsive. It’s time to let new folks take
> > responsibility.
> >
> > I think we should make this a fixed-term position, to make it easier for
> > people to commit to actually being active when needed, with the
> > understanding that it’s not a commitment for life.
> >
> >> - currently we are not on the OS security distribution contact list:
> >> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> >> had been discussed before but we will need commitment from people
> >>
> >> - clear roles will be helpful; to me this includes at least a couple
> >> of people to coordinate (the majority of security issues will be
> >> handled through package upgrades/grafts) and people to help review
> >> and/or contact needed experts, like for Guix internal issues; we
> >> should make this more precise
> >
> > We could distinguish security issues in packages provided by Guix from
> > security issues in Guix itself.
> >
> > That said, the security team could redirect things to members of the
> > “core” team for security issues in Guix itself; maybe we don’t need to
> > formally separate the two.
> >
> >> - likewise, a clear fixed timeframe for who is on this team; keeping
> >> people fresh and engaged for what can suddenly be a time sensitive and
> >> critical job; I think this will also help spread institutional
> >> knowledge for better security practices in general
> >
> > +1!
> >
> >> - members need not be experts but should be active in the community as
> >> committers (already a round of vetting), familiar with what issues and
> >> processes may arise, and willing to learn; perhaps we need a list of
> >> experts to consult though the current teams are a good starting point
> >
> > +1
> >
> >> - what are your thoughts? what are the goals and outcomes we as a
> >> distro want in security?
> >>
> >> - finally, I think an internal discussion with maintainers and long
> >> time active committers would be helpful to get the improvements
> >> started and moving, in addition to this wider discussion here
> >>
> >> And to get things started, I'm happy to volunteer myself to help
> >> coordinate on security, if deemed okay by our current security team,
> >> maintainers, and anyone else that's been helping to handle security. A
> >> coordinating role with a term of say 6 months to a year? Happy to
> >> provide more information and discuss here or privately; in short I'm
> >> not a security expert but have time and bandwidth to keep things
> >> moving and want to learn.
> >
> > Thank you for getting the ball moving!
> >
> > I’m all for having you on board and, to set an example, to leave as you
> > join.
> >
> > If maintainers agree (Cc’d), I invite you to add your name and a
> > termination date to the security page, remove my name, and subscribe to
> > guix-security. We should add a term for other people on the team too.
> >
> > How does that sound?
>
> Sounds good to me!
Sounds good to me too.
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-11-18 19:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-05 15:41 Upgrading Guix's security team John Kehayias
2023-11-16 14:22 ` Ludovic Courtès
2023-11-16 15:15 ` Andreas Enge
2023-11-18 4:31 ` Maxim Cournoyer
2023-11-18 19:18 ` Efraim Flashner [this message]
2023-11-22 18:16 ` Ludovic Courtès
2023-11-22 18:39 ` Leo Famulari
2023-11-22 19:02 ` Tobias Geerinckx-Rice
2023-12-09 10:55 ` Ludovic Courtès
2023-11-23 6:50 ` John Kehayias
2023-11-29 16:15 ` Simon Tournier
2024-02-05 19:34 ` Hartmut Goebel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVkOImLzTsiIw8GM@3900XT \
--to=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
--cc=guix-maintainers@gnu.org \
--cc=john.kehayias@protonmail.com \
--cc=ludo@gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).