Upgrading Guix's security team

Upgrading Guix's security team

[John Kehayias]

Hi Guixers!

In light of the several high profile CVEs this month, which were/are being handled and more coming (curl joins the chat) some of us were discussing improving and systematizing our security team and responses. My thanks to Tobias for quick review to help finalize the XOrg CVE grafts, to Liliana for the pending glibc fix (see <https://issues.guix.gnu.org/66348>) and updating curl in preparation for a critical CVE update, and Ludo for getting this discussion started.

Here are some quick thoughts/ideas that came up for comment:

- current security email/people can be found here, which is nicely visible <https://guix.gnu.org/en/security/> yet probably in need of a hand and new faces for an important but often thankless job; no fault to them or Guix as a whole, merely a good time to see how we can keep improving

- currently we are not on the OS security distribution contact list: <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this had been discussed before but we will need commitment from people

- clear roles will be helpful; to me this includes at least a couple of people to coordinate (the majority of security issues will be handled through package upgrades/grafts) and people to help review and/or contact needed experts, like for Guix internal issues; we should make this more precise

- likewise, a clear fixed timeframe for who is on this team; keeping people fresh and engaged for what can suddenly be a time sensitive and critical job; I think this will also help spread institutional knowledge for better security practices in general

- members need not be experts but should be active in the community as committers (already a round of vetting), familiar with what issues and processes may arise, and willing to learn; perhaps we need a list of experts to consult though the current teams are a good starting point

- what are your thoughts? what are the goals and outcomes we as a distro want in security?

- finally, I think an internal discussion with maintainers and long time active committers would be helpful to get the improvements started and moving, in addition to this wider discussion here

And to get things started, I'm happy to volunteer myself to help coordinate on security, if deemed okay by our current security team, maintainers, and anyone else that's been helping to handle security. A coordinating role with a term of say 6 months to a year? Happy to provide more information and discuss here or privately; in short I'm not a security expert but have time and bandwidth to keep things moving and want to learn.

Thanks everyone, and here's to hoping the spooky season is full of fun and candy and less CVEs!

John Kehayias

Re: Upgrading Guix's security team

[Ludovic Courtès]

Hi John,

Looks like this message was left unanswered for more than a month, which
proves you have a point!

John Kehayias <john.kehayias@protonmail.com> skribis:

> - current security email/people can be found here, which is nicely
> visible <https://guix.gnu.org/en/security/> yet probably in need of a
> hand and new faces for an important but often thankless job; no fault
> to them or Guix as a whole, merely a good time to see how we can keep
> improving

Yes, we definitely need a rotation here!  I for one have my name there
but regardless of my interest, I have to admit that I’ve been unable to
be sufficiently responsive.  It’s time to let new folks take
responsibility.

I think we should make this a fixed-term position, to make it easier for
people to commit to actually being active when needed, with the
understanding that it’s not a commitment for life.

> - currently we are not on the OS security distribution contact list:
> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> had been discussed before but we will need commitment from people
>
> - clear roles will be helpful; to me this includes at least a couple
> of people to coordinate (the majority of security issues will be
> handled through package upgrades/grafts) and people to help review
> and/or contact needed experts, like for Guix internal issues; we
> should make this more precise

We could distinguish security issues in packages provided by Guix from
security issues in Guix itself.

That said, the security team could redirect things to members of the
“core” team for security issues in Guix itself; maybe we don’t need to
formally separate the two.

> - likewise, a clear fixed timeframe for who is on this team; keeping
> people fresh and engaged for what can suddenly be a time sensitive and
> critical job; I think this will also help spread institutional
> knowledge for better security practices in general

+1!

> - members need not be experts but should be active in the community as
> committers (already a round of vetting), familiar with what issues and
> processes may arise, and willing to learn; perhaps we need a list of
> experts to consult though the current teams are a good starting point

+1

> - what are your thoughts? what are the goals and outcomes we as a
> distro want in security?
>
> - finally, I think an internal discussion with maintainers and long
> time active committers would be helpful to get the improvements
> started and moving, in addition to this wider discussion here
>
> And to get things started, I'm happy to volunteer myself to help
> coordinate on security, if deemed okay by our current security team,
> maintainers, and anyone else that's been helping to handle security. A
> coordinating role with a term of say 6 months to a year? Happy to
> provide more information and discuss here or privately; in short I'm
> not a security expert but have time and bandwidth to keep things
> moving and want to learn.

Thank you for getting the ball moving!

I’m all for having you on board and, to set an example, to leave as you
join.

If maintainers agree (Cc’d), I invite you to add your name and a
termination date to the security page, remove my name, and subscribe to
guix-security.  We should add a term for other people on the team too.

How does that sound?

Ludo’.

Re: Upgrading Guix's security team

[Andreas Enge]

Hello,

Am Thu, Nov 16, 2023 at 03:22:42PM +0100 schrieb Ludovic Courtès:
> Yes, we definitely need a rotation here!  I for one have my name there
> but regardless of my interest, I have to admit that I’ve been unable to
> be sufficiently responsive.  It’s time to let new folks take
> responsibility.
> I think we should make this a fixed-term position, to make it easier for
> people to commit to actually being active when needed, with the
> understanding that it’s not a commitment for life.

all this sounds good. Maybe we should also clean up the mailing list.
I am on the list, but not mentioned on the security team site, and will
be happy to be removed. (My being here probably comes from a mismatch
between being interested in "security" and knowing things about "crypto-
graphy", and my inability to act upon concrete situations of security
problems in packages.)

Andreas

Re: Upgrading Guix's security team

[Maxim Cournoyer]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

[...]

> Yes, we definitely need a rotation here!  I for one have my name there
> but regardless of my interest, I have to admit that I’ve been unable to
> be sufficiently responsive.  It’s time to let new folks take
> responsibility.
>
> I think we should make this a fixed-term position, to make it easier for
> people to commit to actually being active when needed, with the
> understanding that it’s not a commitment for life.
>
>> - currently we are not on the OS security distribution contact list:
>> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
>> had been discussed before but we will need commitment from people
>>
>> - clear roles will be helpful; to me this includes at least a couple
>> of people to coordinate (the majority of security issues will be
>> handled through package upgrades/grafts) and people to help review
>> and/or contact needed experts, like for Guix internal issues; we
>> should make this more precise
>
> We could distinguish security issues in packages provided by Guix from
> security issues in Guix itself.
>
> That said, the security team could redirect things to members of the
> “core” team for security issues in Guix itself; maybe we don’t need to
> formally separate the two.
>
>> - likewise, a clear fixed timeframe for who is on this team; keeping
>> people fresh and engaged for what can suddenly be a time sensitive and
>> critical job; I think this will also help spread institutional
>> knowledge for better security practices in general
>
> +1!
>
>> - members need not be experts but should be active in the community as
>> committers (already a round of vetting), familiar with what issues and
>> processes may arise, and willing to learn; perhaps we need a list of
>> experts to consult though the current teams are a good starting point
>
> +1
>
>> - what are your thoughts? what are the goals and outcomes we as a
>> distro want in security?
>>
>> - finally, I think an internal discussion with maintainers and long
>> time active committers would be helpful to get the improvements
>> started and moving, in addition to this wider discussion here
>>
>> And to get things started, I'm happy to volunteer myself to help
>> coordinate on security, if deemed okay by our current security team,
>> maintainers, and anyone else that's been helping to handle security. A
>> coordinating role with a term of say 6 months to a year? Happy to
>> provide more information and discuss here or privately; in short I'm
>> not a security expert but have time and bandwidth to keep things
>> moving and want to learn.
>
> Thank you for getting the ball moving!
>
> I’m all for having you on board and, to set an example, to leave as you
> join.
>
> If maintainers agree (Cc’d), I invite you to add your name and a
> termination date to the security page, remove my name, and subscribe to
> guix-security.  We should add a term for other people on the team too.
>
> How does that sound?

Sounds good to me!

-- 
Thanks,
Maxim

Re: Upgrading Guix's security team

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 3556 bytes --]

On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
> Hi,
> 
> Ludovic Courtès <ludo@gnu.org> writes:
> 
> [...]
> 
> > Yes, we definitely need a rotation here!  I for one have my name there
> > but regardless of my interest, I have to admit that I’ve been unable to
> > be sufficiently responsive.  It’s time to let new folks take
> > responsibility.
> >
> > I think we should make this a fixed-term position, to make it easier for
> > people to commit to actually being active when needed, with the
> > understanding that it’s not a commitment for life.
> >
> >> - currently we are not on the OS security distribution contact list:
> >> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> >> had been discussed before but we will need commitment from people
> >>
> >> - clear roles will be helpful; to me this includes at least a couple
> >> of people to coordinate (the majority of security issues will be
> >> handled through package upgrades/grafts) and people to help review
> >> and/or contact needed experts, like for Guix internal issues; we
> >> should make this more precise
> >
> > We could distinguish security issues in packages provided by Guix from
> > security issues in Guix itself.
> >
> > That said, the security team could redirect things to members of the
> > “core” team for security issues in Guix itself; maybe we don’t need to
> > formally separate the two.
> >
> >> - likewise, a clear fixed timeframe for who is on this team; keeping
> >> people fresh and engaged for what can suddenly be a time sensitive and
> >> critical job; I think this will also help spread institutional
> >> knowledge for better security practices in general
> >
> > +1!
> >
> >> - members need not be experts but should be active in the community as
> >> committers (already a round of vetting), familiar with what issues and
> >> processes may arise, and willing to learn; perhaps we need a list of
> >> experts to consult though the current teams are a good starting point
> >
> > +1
> >
> >> - what are your thoughts? what are the goals and outcomes we as a
> >> distro want in security?
> >>
> >> - finally, I think an internal discussion with maintainers and long
> >> time active committers would be helpful to get the improvements
> >> started and moving, in addition to this wider discussion here
> >>
> >> And to get things started, I'm happy to volunteer myself to help
> >> coordinate on security, if deemed okay by our current security team,
> >> maintainers, and anyone else that's been helping to handle security. A
> >> coordinating role with a term of say 6 months to a year? Happy to
> >> provide more information and discuss here or privately; in short I'm
> >> not a security expert but have time and bandwidth to keep things
> >> moving and want to learn.
> >
> > Thank you for getting the ball moving!
> >
> > I’m all for having you on board and, to set an example, to leave as you
> > join.
> >
> > If maintainers agree (Cc’d), I invite you to add your name and a
> > termination date to the security page, remove my name, and subscribe to
> > guix-security.  We should add a term for other people on the team too.
> >
> > How does that sound?
> 
> Sounds good to me!

Sounds good to me too.

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Upgrading Guix's security team

[Ludovic Courtès]

Hello,

Efraim Flashner <efraim@flashner.co.il> skribis:

> On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:

[...]

>> > If maintainers agree (Cc’d), I invite you to add your name and a
>> > termination date to the security page, remove my name, and subscribe to
>> > guix-security.  We should add a term for other people on the team too.
>> >
>> > How does that sound?
>> 
>> Sounds good to me!
>
> Sounds good to me too.

I added John and removed myself from the security page in guix-artwork
commit 1bd9d383cc1de4cf0eb220129c065a98332b798b.

I’ve also unsubscribed Andreas and myself from the list; there are now 4
people subscribed (we should check whether the 4th person wants to be
officially involved).

Leo, Tobias, and John: What would be a good end-of-term date for each
one of you?  As I see it, it wouldn’t mean you cannot do an additional
term but rather that you’ll have an opportunity to leave and that you’ll
do your best to be around by then.

Thanks again for volunteering, John!

Ludo’.

Re: Upgrading Guix's security team

[Leo Famulari]

On Wed, Nov 22, 2023 at 07:16:21PM +0100, Ludovic Courtès wrote:
> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you?  As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.

I think my end date should be ASAP. I'm sure everyone noticed that I
haven't been very involved in Guix lately, and I don't know when I can
be more involved again.

Re: Upgrading Guix's security team

[Tobias Geerinckx-Rice]

Great, I was waiting for someone to reply so's to glom on and ask to be included in the same commit to minimise noise.

So, there.

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Re: Upgrading Guix's security team

[Ludovic Courtès]

Hello!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> Great, I was waiting for someone to reply so's to glom on and ask to be included in the same commit to minimise noise.

Could you take care of updating the security web page?

Ludo’.

Re: Upgrading Guix's security team

[John Kehayias]

Hi Ludo’ and everyone else,

On Wed, Nov 22, 2023 at 07:16 PM, Ludovic Courtès wrote:

> Hello,
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
>> On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote:
>
> [...]
>
>>> > If maintainers agree (Cc’d), I invite you to add your name and a
>>> > termination date to the security page, remove my name, and subscribe to
>>> > guix-security.  We should add a term for other people on the team too.
>>> >
>>> > How does that sound?
>>>
>>> Sounds good to me!
>>
>> Sounds good to me too.
>
> I added John and removed myself from the security page in guix-artwork
> commit 1bd9d383cc1de4cf0eb220129c065a98332b798b.
>

Thanks and happy to be a part of the team!

> I’ve also unsubscribed Andreas and myself from the list; there are now 4
> people subscribed (we should check whether the 4th person wants to be
> officially involved).
>
> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you?  As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.
>

Seeing as how I'm often away from any Guix computers for a few weeks
at a time over the summer, let me say roughly 6 months, ending on May
15th.

As you say, likely I would be happy to continue, though parts of
summer I tend to be away so it would be good to not have us
shorthanded then. Or maybe staggering when people join/leave with some
overlap is a good plan.

> Thanks again for volunteering, John!
>
> Ludo’.

Welcome and hoping to serve the Guix community well!

John

Re: Upgrading Guix's security team

[Simon Tournier]

Hi,

On mer., 22 nov. 2023 at 19:16, Ludovic Courtès <ludo@gnu.org> wrote:

> Leo, Tobias, and John: What would be a good end-of-term date for each
> one of you?  As I see it, it wouldn’t mean you cannot do an additional
> term but rather that you’ll have an opportunity to leave and that you’ll
> do your best to be around by then.

I think all this should be encoded in some RFC as proposed in:

        Request-For-Comment process: concrete implementation
        Simon Tournier <zimon.toutoune@gmail.com>
        Tue, 31 Oct 2023 12:14:42 +0100
        id:87h6m7yrfh.fsf@gmail.com
        https://lists.gnu.org/archive/html/guix-devel/2023-10
        https://yhetil.org/guix/87h6m7yrfh.fsf@gmail.com

Well, this RFC proposal appears to me a good opportunity for clarifying
the scope. role. end-of-term, etc. about the Security Team.

Cheers,
simon

Re: Upgrading Guix's security team

[Hartmut Goebel]

Am 16.11.23 um 15:22 schrieb Ludovic Courtès:
> We could distinguish security issues in packages provided by Guix from
> security issues in Guix itself.

Maybe its also a good idea to add a security.txt to the website?

https://en.wikipedia.org/wiki/Security.txt "is meant to allow security 
researchers to easily report security vulnerabilities".

Respective RFC: https://datatracker.ietf.org/doc/html/rfc9116

-- 
Regards
Hartmut Goebel

| Hartmut Goebel          | h.goebel@crazy-compilers.com               |
| www.crazy-compilers.com | compilers which you thought are impossible |