From: "Léo Le Bouter" <lle-bout@zaclys.net>
To: Christopher Baines <mail@cbaines.net>, guix-devel@gnu.org
Subject: Re: Security related tooling project
Date: Sat, 03 Apr 2021 23:44:24 +0200 [thread overview]
Message-ID: <b8530b2d38afdd1b4a15fb10dd37ee187584c20e.camel@zaclys.net> (raw)
In-Reply-To: <874kgn4plq.fsf@cbaines.net>
[-- Attachment #1: Type: text/plain, Size: 3242 bytes --]
On Sat, 2021-04-03 at 11:41 +0100, Christopher Baines wrote:
> Hey,
>
> In May last year (2020), I submitted an application to NLNet. The
> work I
> set out wasn't something I was doing at the time, but something I
> hadn't
> yet found time to work on, tooling specifically around security
> issues.
>
> The application got a bit lost, probably somewhat down to email
> issues
> on my end. Anyway, things picked up again in February of this year
> (2021), and this is now something I'm looking to do roughly over the
> next 8 months.
>
> I've been working on stuff in and around Guix for I think around 5
> years
> now, and in that time I have attempted some big projects,
> particularly
> things like the Guix Data Service and Guix Build Coordinator. I've
> fit
> all of that around a regular non-Guix related work. The support of
> NLNet
> means I'm able to set aside more time for Guix and this work, exactly
> how much more time I can dedicate is something I'm still working on.
>
> There's a more complete description of the aims and tasks here [1],
> this
> email is effectively the start of the work. I want to get lots of
> input
> and feedback on the plans I've set out, as well as checking if
> there's
> any related or overlapping work going on.
>
> 1:
> https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/
>
> I'm particularly excited by some of the initial work. I'm hoping
> getting
> some initial version of Guix Data Service subscriptions in place will
> open up loads of opportunities, and getting data about package
> replacements (grafts) in to the Guix Data Service will be generally
> helpful as well.
>
> Once that's in place, I want to tackle 3 areas: security issues from
> a
> project perspective, security issues from a individual user
> perspective
> and prototype some enhancements to the patch review process,
> specifically around security.
>
> In terms of looking at security from a project perspective, I'm
> thinking
> about these kinds of needs/questions:
>
> - What security issues affect this revision of Guix? (latest or
> otherwise)
>
> - How do Guix contributors find out about new security issues that
> affect Guix revisions they're interested in?
>
> From the user perspective, I want to look at things like:
>
> - How do I find out what (if any) security issues affect the
> software
> I'm currently running (through Guix)?
>
> - How can I get notified when a new security issue affects the
> software
> I'm currently running (through Guix)?
>
> Please let me know if you have any comments or questions!
>
> Thanks,
>
> Chris
That's really really awesome Chris! I especially like that also users
are invited to particpate in the process and the information is shared
there as well!
If I have a comment about the CVE mechanism is that it seems CPE
vendor/name labeling isnt done well or not fast enough in practice,
most flaws I fix they do not have CPE name and vendor specified. So I
wonder how to automate recognition of them here. I believe some could
try and parse the summary with natural language analysis but that also
seems quite imprecise.
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-04-03 21:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-03 10:41 Security related tooling project Christopher Baines
2021-04-03 16:13 ` Security related tooling project OFF TOPIC PRAISE Joshua Branson
2021-04-04 8:17 ` Christopher Baines
2021-04-04 13:35 ` Joshua Branson
2021-04-03 21:44 ` Léo Le Bouter [this message]
2021-04-04 8:24 ` Security related tooling project Christopher Baines
2021-04-04 5:09 ` Chris Marusich
2021-04-04 8:27 ` Christopher Baines
2021-04-04 10:43 ` Xinglu Chen
2021-04-04 20:32 ` Chris Marusich
2021-04-17 15:20 ` Ludovic Courtès
2021-04-18 2:49 ` Bengt Richter
2021-04-23 20:34 ` Christopher Baines
2021-04-23 20:32 ` Christopher Baines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8530b2d38afdd1b4a15fb10dd37ee187584c20e.camel@zaclys.net \
--to=lle-bout@zaclys.net \
--cc=guix-devel@gnu.org \
--cc=mail@cbaines.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).