From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id cOSMHtHhaGAP+QAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 23:44:49 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id uPYoGdHhaGCpewAAB5/wlQ (envelope-from ) for ; Sat, 03 Apr 2021 21:44:49 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1ADCD170D6 for ; Sat, 3 Apr 2021 23:44:49 +0200 (CEST) Received: from localhost ([::1]:34572 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSo4W-0006Zh-8t for larch@yhetil.org; Sat, 03 Apr 2021 17:44:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58482) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSo4N-0006ZY-Ee for guix-devel@gnu.org; Sat, 03 Apr 2021 17:44:39 -0400 Received: from mail.zaclys.net ([178.33.93.72]:56719) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSo4K-0006td-1M for guix-devel@gnu.org; Sat, 03 Apr 2021 17:44:39 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 133LiWtl021509 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 3 Apr 2021 23:44:32 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 133LiWtl021509 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617486272; bh=PPXA8GuUoK8c7AWFxQAO10LZnj6nuDV4IAhTNmiOXeQ=; h=Subject:From:To:Date:In-Reply-To:References:From; b=H+8a+wRavXHVBxGPQ+owMpDz8benDEyVD1GMQiK3WLll9TqM8sOaFEZChx0sPFTVi UMLYg8OS+fPQq+6oPKV3hiIfmAuCHqDGCidFYW9gz395HvUa321pFlUE1Tbgop1koa HUHxAJ8JkvAmzYYAhes6JXcdFj6lMtWDihs7eopo= Message-ID: Subject: Re: Security related tooling project From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Christopher Baines , guix-devel@gnu.org Date: Sat, 03 Apr 2021 23:44:24 +0200 In-Reply-To: <874kgn4plq.fsf@cbaines.net> References: <874kgn4plq.fsf@cbaines.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-FrWKR56BYUzReTGWdKRr" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617486289; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=PPXA8GuUoK8c7AWFxQAO10LZnj6nuDV4IAhTNmiOXeQ=; b=gt3YkHuK9YX4/+7uPI1Dkoca4TQF8whIsXCXU7HuCxjodLByHZtwJgQwoHWRw7fZTYoHd/ MozLuPu05C06cfxk1GvQaW7DIJ3DtRAPTDkJO9nZLm6WqX7705rasbYDKWh/v/CurB5Tv+ Ss38FBG18rArsl5xAsyl7qeSFpAyO5DqIIdz/gZalLKf+gTOZclsiUqWttAt0nAXJcqs9V dCmOMJ9Pw5VxDJOg/So8bZLYEkNW+MCaxaYzyDWDCZq1hXakcSkv8b8QmTgyY/Al322hk7 d6IPH5i2IblfjGDHjE5NlX1QE196U7EFS6bZzlWKWkbsTN7cckX9Av0kCJmHoQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617486289; a=rsa-sha256; cv=none; b=kcbHi3PwrvfIk3FXsgvngsTNa7rYdvsrcKplPK015DBwOoWXqyC+J/+zwLH6IBrny+UGEJ Zq3fWR21J0XbImLy1NKBcl6uobUMNy+2fit48s0okkjOoaE4ACcVtLmTVn3BKMmRFXMoyZ EH2htEIBPFGWQ/qJd6ZFdNhVbio7Mz/HD84E3ayrNfvXWxmMQCc5Q4h05uilvJ7443NFhU 7uixTpkMob/yDXHybrKDf/fq9kM8ja1kf8Ligi2kf2YTWpo476X5QBMnA9RGaSQlZW9a1i 6weP5TylK4Iq4Mj54ixFY5I87FXKA2VXNUJfFczbww78nHz0syS4F/j2z4fSzw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=H+8a+wRa; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.23 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=H+8a+wRa; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 1ADCD170D6 X-Spam-Score: -5.23 X-Migadu-Scanner: scn0.migadu.com X-TUID: o7xrl64xiMQ0 --=-FrWKR56BYUzReTGWdKRr Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-04-03 at 11:41 +0100, Christopher Baines wrote: > Hey, >=20 > In May last year (2020), I submitted an application to NLNet. The > work I > set out wasn't something I was doing at the time, but something I > hadn't > yet found time to work on, tooling specifically around security > issues. >=20 > The application got a bit lost, probably somewhat down to email > issues > on my end. Anyway, things picked up again in February of this year > (2021), and this is now something I'm looking to do roughly over the > next 8 months. >=20 > I've been working on stuff in and around Guix for I think around 5 > years > now, and in that time I have attempted some big projects, > particularly > things like the Guix Data Service and Guix Build Coordinator. I've > fit > all of that around a regular non-Guix related work. The support of > NLNet > means I'm able to set aside more time for Guix and this work, exactly > how much more time I can dedicate is something I'm still working on. >=20 > There's a more complete description of the aims and tasks here [1], > this > email is effectively the start of the work. I want to get lots of > input > and feedback on the plans I've set out, as well as checking if > there's > any related or overlapping work going on. >=20 > 1:=20 > https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/ >=20 > I'm particularly excited by some of the initial work. I'm hoping > getting > some initial version of Guix Data Service subscriptions in place will > open up loads of opportunities, and getting data about package > replacements (grafts) in to the Guix Data Service will be generally > helpful as well. >=20 > Once that's in place, I want to tackle 3 areas: security issues from > a > project perspective, security issues from a individual user > perspective > and prototype some enhancements to the patch review process, > specifically around security. >=20 > In terms of looking at security from a project perspective, I'm > thinking > about these kinds of needs/questions: >=20 > - What security issues affect this revision of Guix? (latest or > otherwise) >=20 > - How do Guix contributors find out about new security issues that > affect Guix revisions they're interested in? >=20 > From the user perspective, I want to look at things like: >=20 > - How do I find out what (if any) security issues affect the > software > I'm currently running (through Guix)? >=20 > - How can I get notified when a new security issue affects the > software > I'm currently running (through Guix)? >=20 > Please let me know if you have any comments or questions! >=20 > Thanks, >=20 > Chris That's really really awesome Chris! I especially like that also users are invited to particpate in the process and the information is shared there as well! If I have a comment about the CVE mechanism is that it seems CPE vendor/name labeling isnt done well or not fast enough in practice, most flaws I fix they do not have CPE name and vendor specified. So I wonder how to automate recognition of them here. I believe some could try and parse the summary with natural language analysis but that also seems quite imprecise. L=C3=A9o --=-FrWKR56BYUzReTGWdKRr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBo4bgACgkQRaix6GvN EKalBg//T7g3m9kBe9ddZa9YvFkuZbJAQSGVt1KD7LTF1pTqa+icnIB4CCzqkjVi 4zQelNc+9KqT2xw5jJWq+L7BWMz6mGB254ZH+nrFGyChner1p0k8g5Rjqscp3j3q uo7sIaugwFQ4yJhsBSVEYP8jXEp8Zg2CMB2GCNJsliyfGZ+MSIklNkcib2jeRdr7 nDQaEOP5C3wQ/Z+Li40gaGFn4gPE+TxXmOTsSwMIsY4UdHT7cMNex1aE4iTZ8a2l CZjMg/pMT3VwszzSSrGp8M0pe4Nsw65ZtaJwhsJkQGOSc3EAZdqD3FJ2XXJfL8pG nEX5Jl3rKzP9RLJ9W0sVm0Yfwjalxs+3wXtax7ZmslTdtxsySVGswDpAGZMzPqYk jq+UQJGEKKgBzNEM4p0dZR9es9tcx4t9J4vu1Ptu81UExHYazAe+0hIuUhwKVo7o NVyZ2YFqhbcOlNT0P4f+lJJr6Aq+RgchLJp7p/l3AyToivyWIyYBq2kF8jZzrvPp Z9RJTKRDRZbHmhBVu5sMiG047RS4UkH5dQ1XFynBu42FbeOQ1a3frb20ZnH7Cuha rIldj7oG8VHFNK8fEgAuPJD2k7SpdXKfb1PqeTR69ZWX3y19+xZwmofdd7SjN4zo t0XxfmcakuRpHQ60vBqZd1LM/ujMcwpNp91yyMVs8KGT9w27UZc= =hd36 -----END PGP SIGNATURE----- --=-FrWKR56BYUzReTGWdKRr--