[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security related tooling project
|
From: |
Léo Le Bouter |
|
Subject: |
Re: Security related tooling project |
|
Date: |
Sat, 03 Apr 2021 23:44:24 +0200 |
|
User-agent: |
Evolution 3.34.2 |
On Sat, 2021-04-03 at 11:41 +0100, Christopher Baines wrote:
> Hey,
>
> In May last year (2020), I submitted an application to NLNet. The
> work I
> set out wasn't something I was doing at the time, but something I
> hadn't
> yet found time to work on, tooling specifically around security
> issues.
>
> The application got a bit lost, probably somewhat down to email
> issues
> on my end. Anyway, things picked up again in February of this year
> (2021), and this is now something I'm looking to do roughly over the
> next 8 months.
>
> I've been working on stuff in and around Guix for I think around 5
> years
> now, and in that time I have attempted some big projects,
> particularly
> things like the Guix Data Service and Guix Build Coordinator. I've
> fit
> all of that around a regular non-Guix related work. The support of
> NLNet
> means I'm able to set aside more time for Guix and this work, exactly
> how much more time I can dedicate is something I'm still working on.
>
> There's a more complete description of the aims and tasks here [1],
> this
> email is effectively the start of the work. I want to get lots of
> input
> and feedback on the plans I've set out, as well as checking if
> there's
> any related or overlapping work going on.
>
> 1:
> https://git.cbaines.net/guix/tooling-to-improve-security-and-trust/about/
>
> I'm particularly excited by some of the initial work. I'm hoping
> getting
> some initial version of Guix Data Service subscriptions in place will
> open up loads of opportunities, and getting data about package
> replacements (grafts) in to the Guix Data Service will be generally
> helpful as well.
>
> Once that's in place, I want to tackle 3 areas: security issues from
> a
> project perspective, security issues from a individual user
> perspective
> and prototype some enhancements to the patch review process,
> specifically around security.
>
> In terms of looking at security from a project perspective, I'm
> thinking
> about these kinds of needs/questions:
>
> - What security issues affect this revision of Guix? (latest or
> otherwise)
>
> - How do Guix contributors find out about new security issues that
> affect Guix revisions they're interested in?
>
> From the user perspective, I want to look at things like:
>
> - How do I find out what (if any) security issues affect the
> software
> I'm currently running (through Guix)?
>
> - How can I get notified when a new security issue affects the
> software
> I'm currently running (through Guix)?
>
> Please let me know if you have any comments or questions!
>
> Thanks,
>
> Chris
That's really really awesome Chris! I especially like that also users
are invited to particpate in the process and the information is shared
there as well!
If I have a comment about the CVE mechanism is that it seems CPE
vendor/name labeling isnt done well or not fast enough in practice,
most flaws I fix they do not have CPE name and vendor specified. So I
wonder how to automate recognition of them here. I believe some could
try and parse the summary with natural language analysis but that also
seems quite imprecise.
Léo
signature.asc
Description: This is a digitally signed message part