From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EFb7AnVGaGAPIwEAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 12:41:57 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QJU9OHRGaGCAEwAAbx9fmQ (envelope-from ) for ; Sat, 03 Apr 2021 10:41:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9B46F185FB for ; Sat, 3 Apr 2021 12:41:56 +0200 (CEST) Received: from localhost ([::1]:56330 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSdj1-0002JL-Hm for larch@yhetil.org; Sat, 03 Apr 2021 06:41:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43432) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSdip-0002JF-SS for guix-devel@gnu.org; Sat, 03 Apr 2021 06:41:43 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:36925) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSdin-0008Dk-UC for guix-devel@gnu.org; Sat, 03 Apr 2021 06:41:43 -0400 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa]) by mira.cbaines.net (Postfix) with ESMTPSA id EB50A27BC5A for ; Sat, 3 Apr 2021 11:41:39 +0100 (BST) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 4c626fe8 for ; Sat, 3 Apr 2021 10:41:39 +0000 (UTC) User-agent: mu4e 1.4.15; emacs 27.1 From: Christopher Baines To: guix-devel@gnu.org Subject: Security related tooling project Date: Sat, 03 Apr 2021 11:41:37 +0100 Message-ID: <874kgn4plq.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617446516; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=faD6O57d4AzYi8Ynnx3RTnC0vVTnUjO8Q+X5fUYyMyw=; b=eYpsQjrd1nOvzTKcFYaV4xdRpVm1Cz1lORlI5mYQ9446aJ0v9fONPX+kiIg4lB882qOhwl tYbAf3Sz7KvNN9oG5neNdp6LIifFp/0Fp3go3S1Lu0v6TGCBrkwahqSjRx9RRKNL4PKi4u 7F0cmf9mmSHk9WVuz1CjjzrqrFrssqmB7G7DCwT5t2v5Pe/8q+KvS1LKQVNG4FJGp5uFRn DS2e2gD4U7ZD8KCh44SxacjQ8Y2PZ7c+htYz2R3lOxeXHi4bTtf8uN5CUqyTTCsbh64DCv Z4q49HAEFG3Ma+RAil9uMRhJyHpTPhYYHI5wZUdz22O5Zcxgfxo8+/m+ePyMcw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617446516; a=rsa-sha256; cv=none; b=HR3hDnqYn257MB3BlLaOXo33MHoLNPYZjkMz4o8OIrMmpTU6oEyLe/DVBddhmjdm9kxf1J c0fBHjA7TPpvPOCMVCrqYeTYFxKb8By9lbFnr7v+/2gUxfm7pR8Os7hjDffmLs5v6a+siT xsZ2GbRme0mzYWkyFmnagRAhk5HSOwmNJTe3anu80crErdv7qomt0SUryNsZhL61qxS83u Wj640gUqclRuwgc216npPHMK5cWERem/iwfmMBEh71OkjIlFE9njH6sSjTwcXPTqv2nXqq Z7aWaPfeRGOXECn+JXBhYOBpJJPuBpLqkQsapMNC97nmcxrBcaExNUkf4t8/YQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.03 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9B46F185FB X-Spam-Score: -2.03 X-Migadu-Scanner: scn0.migadu.com X-TUID: q3+dk+3JTenp --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hey, In May last year (2020), I submitted an application to NLNet. The work I set out wasn't something I was doing at the time, but something I hadn't yet found time to work on, tooling specifically around security issues. The application got a bit lost, probably somewhat down to email issues on my end. Anyway, things picked up again in February of this year (2021), and this is now something I'm looking to do roughly over the next 8 months. I've been working on stuff in and around Guix for I think around 5 years now, and in that time I have attempted some big projects, particularly things like the Guix Data Service and Guix Build Coordinator. I've fit all of that around a regular non-Guix related work. The support of NLNet means I'm able to set aside more time for Guix and this work, exactly how much more time I can dedicate is something I'm still working on. There's a more complete description of the aims and tasks here [1], this email is effectively the start of the work. I want to get lots of input and feedback on the plans I've set out, as well as checking if there's any related or overlapping work going on. 1: https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/ I'm particularly excited by some of the initial work. I'm hoping getting some initial version of Guix Data Service subscriptions in place will open up loads of opportunities, and getting data about package replacements (grafts) in to the Guix Data Service will be generally helpful as well. Once that's in place, I want to tackle 3 areas: security issues from a project perspective, security issues from a individual user perspective and prototype some enhancements to the patch review process, specifically around security. In terms of looking at security from a project perspective, I'm thinking about these kinds of needs/questions: - What security issues affect this revision of Guix? (latest or otherwise) - How do Guix contributors find out about new security issues that affect Guix revisions they're interested in? From=20the user perspective, I want to look at things like: - How do I find out what (if any) security issues affect the software I'm currently running (through Guix)? - How can I get notified when a new security issue affects the software I'm currently running (through Guix)? Please let me know if you have any comments or questions! Thanks, Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBoRmFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9XdaHRAAjPmiZsFEG7u/NoxqQ0qOGEPDUIpKMdTB xImDIreyeQX0jhXZffsfPA5CY8lPMs/hOwr79PlxnZZVag61epw+Hf8yNg5RWO+x 4wunWV4SNpBqXqTC/fWU5ET52uy8z7IW00eJgM+RqFdDKxI6pKRASM8j84b1M9oD 5cF5V8heHjav3xD+71lXDh4TfDoX7OwMFBWATYsGWOAi0uEaYfsbQNt/2bAf8xNp CeWPBrFntJ2rAOoNmqj6rpOXUnYENV6acVuDiwmpQ/gvvofbu2MrfJbvFc3aLPxG UNAX+sWVTVOI+ztLnI1Np2Cf68t2/zkuzUEJ5AlB5pv+uvNcx0v73lA8d139XWz2 F4MRtVcDjNb6fjF72y2HVXhKiVBbhvFvQgzXXM0EJc5zSLlV4wm+Q/COuN9SwXNS k7mGU9A9s6iBJG0e0DNtLHX+sX5TSXNmUOxif853crgBo0eu+0INHMAtI2FDgyA3 Dm+iOFEFM158rIv0LzKnBWpFjahTluJTL8bfaUdPC/Ip7QfvtE9/Ia56QwP5Qs45 qOCWbwb3qH4SghMmZ4FstrgqhxZdx9wErivsazavfq+Z36ZLZ2OJnbtyHlnKSnTG fHiTry8IlNVoTJZB5eme4qCMew6MQl6aUFS32XRh7eBy15sh3u1fj9JFEdU2dtTH 1LwqasSwUb8= =Iq5P -----END PGP SIGNATURE----- --=-=-=--