On Sat, 2021-04-03 at 11:41 +0100, Christopher Baines wrote: > Hey, > > In May last year (2020), I submitted an application to NLNet. The > work I > set out wasn't something I was doing at the time, but something I > hadn't > yet found time to work on, tooling specifically around security > issues. > > The application got a bit lost, probably somewhat down to email > issues > on my end. Anyway, things picked up again in February of this year > (2021), and this is now something I'm looking to do roughly over the > next 8 months. > > I've been working on stuff in and around Guix for I think around 5 > years > now, and in that time I have attempted some big projects, > particularly > things like the Guix Data Service and Guix Build Coordinator. I've > fit > all of that around a regular non-Guix related work. The support of > NLNet > means I'm able to set aside more time for Guix and this work, exactly > how much more time I can dedicate is something I'm still working on. > > There's a more complete description of the aims and tasks here [1], > this > email is effectively the start of the work. I want to get lots of > input > and feedback on the plans I've set out, as well as checking if > there's > any related or overlapping work going on. > > 1: > https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/ > > I'm particularly excited by some of the initial work. I'm hoping > getting > some initial version of Guix Data Service subscriptions in place will > open up loads of opportunities, and getting data about package > replacements (grafts) in to the Guix Data Service will be generally > helpful as well. > > Once that's in place, I want to tackle 3 areas: security issues from > a > project perspective, security issues from a individual user > perspective > and prototype some enhancements to the patch review process, > specifically around security. > > In terms of looking at security from a project perspective, I'm > thinking > about these kinds of needs/questions: > > - What security issues affect this revision of Guix? (latest or > otherwise) > > - How do Guix contributors find out about new security issues that > affect Guix revisions they're interested in? > > From the user perspective, I want to look at things like: > > - How do I find out what (if any) security issues affect the > software > I'm currently running (through Guix)? > > - How can I get notified when a new security issue affects the > software > I'm currently running (through Guix)? > > Please let me know if you have any comments or questions! > > Thanks, > > Chris That's really really awesome Chris! I especially like that also users are invited to particpate in the process and the information is shared there as well! If I have a comment about the CVE mechanism is that it seems CPE vendor/name labeling isnt done well or not fast enough in practice, most flaws I fix they do not have CPE name and vendor specified. So I wonder how to automate recognition of them here. I believe some could try and parse the summary with natural language analysis but that also seems quite imprecise. Léo