From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id 2LQ0G9UlVmW34QAAauVa8A:P1 (envelope-from ) for ; Thu, 16 Nov 2023 15:23:17 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 2LQ0G9UlVmW34QAAauVa8A (envelope-from ) for ; Thu, 16 Nov 2023 15:23:17 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 361C83FE7B for ; Thu, 16 Nov 2023 15:23:17 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=DOlohK6k; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1700144597; a=rsa-sha256; cv=none; b=KVgA+UNLWMoMorkZbHdBCuyOeQFsvC2daaNp6aEqLxNe0KrDI7ujBoi0EluTAG36LAK7kR RuJe8rd5FUl32DGGMovI8YQQPJWXPIzFH2TcFUOPLzo7MqR6kSocvY7Adxl8O59/pPgIi+ Xyxn3wVCH7Ry8rMDqcKewBp986m4Ks4qi0fiDSC80FY7nSZXmDhsJ/PQxk2prYaBodiYY5 kljj9wa2+SKbcyzpwuLjEnojXr+CLroQzA0vMUfj8Iold6NrVY2TmFZ54HN1eoSNlAkRLP jatQ74xa0Yd0ktmCsqabg4rrQa8kq3JRVnpR9uj7kcm4QWW7tyIT3/GTCxf/yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1700144597; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=uV7xPxE8/7QeABCid1qLocTp1jmkkanQbb7nlbn69AE=; b=UnyJjDdbYJ8U8bE9angn3roBzag4CGx7llYjhAFbM3MF/lXfrkAIH2TefpzeFACCtNa6JV GeZdE2bs3a9baofxxSUYcSRxn5cSgcR5OF8+GSShMI39Rbfafda/CZemwtFLjgJDPrtbl1 DvYqu0sseqbsTdyaedk09yuC3upkVJtKJeqDxZIJPP5LJQP09zVlK96iQtqZLM8+IPIgMJ cK0zj/QmikYZCfDjtmPgkEPzGjzK5URYR9lKCBSB5YeRiGKm6tzYdeyyemK3StqgAnrb97 rWgQVnO41B60LJgw75uPzRFFtL3sFs82P0D6vR5qoxOJ91bOTiQPCKv+McNcmA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=DOlohK6k; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r3dGa-0008AB-4Y; Thu, 16 Nov 2023 09:22:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r3dGX-000888-VJ for guix-devel@gnu.org; Thu, 16 Nov 2023 09:22:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r3dGW-0004DO-93; Thu, 16 Nov 2023 09:22:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=uV7xPxE8/7QeABCid1qLocTp1jmkkanQbb7nlbn69AE=; b=DOlohK6kXGyMB0fDwmKc TLF0I+epiWLuyDlGeBSAyjj0dTciZvgX5j1867jNqyDELCoA2rxRddroko80vv7wx2X9M1PkUm8op VENA0uCRtBWI+PMb0LVymIxsqOFQBMCHH984QV46IEdouIjQZSYnC+k1xjWfyzG6n+3+TUU/ZNxc4 ++2AJjnMfrhkWsEvThDiuLNDsFFsHb6SDyZcDR8cO7WDblw+mxBzFMmznkY3rTtW86dtyLVWKhGQW tJq+AxXYHfIKBL7F98oXOmvAMImvBpoB05fsOVpdX5pW7mtIw+qqIkJddzrSgpuflgRfYr0QhGueM GxH1UQsGAfdauQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: John Kehayias Cc: Guix Devel , guix-maintainers@gnu.org Subject: Re: Upgrading Guix's security team In-Reply-To: <87cyxt9iwm.fsf@protonmail.com> (John Kehayias's message of "Thu, 05 Oct 2023 15:41:00 +0000") References: <87cyxt9iwm.fsf@protonmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Sextidi 26 Brumaire an 232 de la =?utf-8?Q?R=C3=A9vo?= =?utf-8?Q?lution=2C?= jour de la Pistache X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 16 Nov 2023 15:22:42 +0100 Message-ID: <8734x5ydzh.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx11.migadu.com X-Spam-Score: -10.83 X-Migadu-Queue-Id: 361C83FE7B X-Migadu-Spam-Score: -10.83 X-TUID: JKi3HfdzPjCy Hi John, Looks like this message was left unanswered for more than a month, which proves you have a point! John Kehayias skribis: > - current security email/people can be found here, which is nicely > visible yet probably in need of a > hand and new faces for an important but often thankless job; no fault > to them or Guix as a whole, merely a good time to see how we can keep > improving Yes, we definitely need a rotation here! I for one have my name there but regardless of my interest, I have to admit that I=E2=80=99ve been unabl= e to be sufficiently responsive. It=E2=80=99s time to let new folks take responsibility. I think we should make this a fixed-term position, to make it easier for people to commit to actually being active when needed, with the understanding that it=E2=80=99s not a commitment for life. > - currently we are not on the OS security distribution contact list: > ; this > had been discussed before but we will need commitment from people > > - clear roles will be helpful; to me this includes at least a couple > of people to coordinate (the majority of security issues will be > handled through package upgrades/grafts) and people to help review > and/or contact needed experts, like for Guix internal issues; we > should make this more precise We could distinguish security issues in packages provided by Guix from security issues in Guix itself. That said, the security team could redirect things to members of the =E2=80=9Ccore=E2=80=9D team for security issues in Guix itself; maybe we do= n=E2=80=99t need to formally separate the two. > - likewise, a clear fixed timeframe for who is on this team; keeping > people fresh and engaged for what can suddenly be a time sensitive and > critical job; I think this will also help spread institutional > knowledge for better security practices in general +1! > - members need not be experts but should be active in the community as > committers (already a round of vetting), familiar with what issues and > processes may arise, and willing to learn; perhaps we need a list of > experts to consult though the current teams are a good starting point +1 > - what are your thoughts? what are the goals and outcomes we as a > distro want in security? > > - finally, I think an internal discussion with maintainers and long > time active committers would be helpful to get the improvements > started and moving, in addition to this wider discussion here > > And to get things started, I'm happy to volunteer myself to help > coordinate on security, if deemed okay by our current security team, > maintainers, and anyone else that's been helping to handle security. A > coordinating role with a term of say 6 months to a year? Happy to > provide more information and discuss here or privately; in short I'm > not a security expert but have time and bandwidth to keep things > moving and want to learn. Thank you for getting the ball moving! I=E2=80=99m all for having you on board and, to set an example, to leave as= you join. If maintainers agree (Cc=E2=80=99d), I invite you to add your name and a termination date to the security page, remove my name, and subscribe to guix-security. We should add a term for other people on the team too. How does that sound? Ludo=E2=80=99.