Re: Security related tooling project

["Léo Le Bouter" <lle-bout@zaclys.net>]

[-- Attachment #1: Type: text/plain, Size: 3242 bytes --]

On Sat, 2021-04-03 at 11:41 +0100, Christopher Baines wrote:
> Hey,
> 
> In May last year (2020), I submitted an application to NLNet. The
> work I
> set out wasn't something I was doing at the time, but something I
> hadn't
> yet found time to work on, tooling specifically around security
> issues.
> 
> The application got a bit lost, probably somewhat down to email
> issues
> on my end. Anyway, things picked up again in February of this year
> (2021), and this is now something I'm looking to do roughly over the
> next 8 months.
> 
> I've been working on stuff in and around Guix for I think around 5
> years
> now, and in that time I have attempted some big projects,
> particularly
> things like the Guix Data Service and Guix Build Coordinator. I've
> fit
> all of that around a regular non-Guix related work. The support of
> NLNet
> means I'm able to set aside more time for Guix and this work, exactly
> how much more time I can dedicate is something I'm still working on.
> 
> There's a more complete description of the aims and tasks here [1],
> this
> email is effectively the start of the work. I want to get lots of
> input
> and feedback on the plans I've set out, as well as checking if
> there's
> any related or overlapping work going on.
> 
> 1: 
> https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/
> 
> I'm particularly excited by some of the initial work. I'm hoping
> getting
> some initial version of Guix Data Service subscriptions in place will
> open up loads of opportunities, and getting data about package
> replacements (grafts) in to the Guix Data Service will be generally
> helpful as well.
> 
> Once that's in place, I want to tackle 3 areas: security issues from
> a
> project perspective, security issues from a individual user
> perspective
> and prototype some enhancements to the patch review process,
> specifically around security.
> 
> In terms of looking at security from a project perspective, I'm
> thinking
> about these kinds of needs/questions:
> 
>  - What security issues affect this revision of Guix? (latest or
> otherwise)
> 
>  - How do Guix contributors find out about new security issues that
>    affect Guix revisions they're interested in?
> 
> From the user perspective, I want to look at things like:
> 
>  - How do I find out what (if any) security issues affect the
> software
>    I'm currently running (through Guix)?
> 
>  - How can I get notified when a new security issue affects the
> software
>    I'm currently running (through Guix)?
> 
> Please let me know if you have any comments or questions!
> 
> Thanks,
> 
> Chris

That's really really awesome Chris! I especially like that also users
are invited to particpate in the process and the information is shared
there as well!

If I have a comment about the CVE mechanism is that it seems CPE
vendor/name labeling isnt done well or not fast enough in practice,
most flaws I fix they do not have CPE name and vendor specified. So I
wonder how to automate recognition of them here. I believe some could
try and parse the summary with natural language analysis but that also
seems quite imprecise.

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]