On Fri, Nov 17, 2023 at 11:31:41PM -0500, Maxim Cournoyer wrote: > Hi, > > Ludovic Courtès writes: > > [...] > > > Yes, we definitely need a rotation here! I for one have my name there > > but regardless of my interest, I have to admit that I’ve been unable to > > be sufficiently responsive. It’s time to let new folks take > > responsibility. > > > > I think we should make this a fixed-term position, to make it easier for > > people to commit to actually being active when needed, with the > > understanding that it’s not a commitment for life. > > > >> - currently we are not on the OS security distribution contact list: > >> ; this > >> had been discussed before but we will need commitment from people > >> > >> - clear roles will be helpful; to me this includes at least a couple > >> of people to coordinate (the majority of security issues will be > >> handled through package upgrades/grafts) and people to help review > >> and/or contact needed experts, like for Guix internal issues; we > >> should make this more precise > > > > We could distinguish security issues in packages provided by Guix from > > security issues in Guix itself. > > > > That said, the security team could redirect things to members of the > > “core” team for security issues in Guix itself; maybe we don’t need to > > formally separate the two. > > > >> - likewise, a clear fixed timeframe for who is on this team; keeping > >> people fresh and engaged for what can suddenly be a time sensitive and > >> critical job; I think this will also help spread institutional > >> knowledge for better security practices in general > > > > +1! > > > >> - members need not be experts but should be active in the community as > >> committers (already a round of vetting), familiar with what issues and > >> processes may arise, and willing to learn; perhaps we need a list of > >> experts to consult though the current teams are a good starting point > > > > +1 > > > >> - what are your thoughts? what are the goals and outcomes we as a > >> distro want in security? > >> > >> - finally, I think an internal discussion with maintainers and long > >> time active committers would be helpful to get the improvements > >> started and moving, in addition to this wider discussion here > >> > >> And to get things started, I'm happy to volunteer myself to help > >> coordinate on security, if deemed okay by our current security team, > >> maintainers, and anyone else that's been helping to handle security. A > >> coordinating role with a term of say 6 months to a year? Happy to > >> provide more information and discuss here or privately; in short I'm > >> not a security expert but have time and bandwidth to keep things > >> moving and want to learn. > > > > Thank you for getting the ball moving! > > > > I’m all for having you on board and, to set an example, to leave as you > > join. > > > > If maintainers agree (Cc’d), I invite you to add your name and a > > termination date to the security page, remove my name, and subscribe to > > guix-security. We should add a term for other people on the team too. > > > > How does that sound? > > Sounds good to me! Sounds good to me too. -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted