Upgrading Guix's security team

[John Kehayias]

Hi Guixers!

In light of the several high profile CVEs this month, which were/are being 
handled and more coming (curl joins the chat) some of us were discussing 
improving and systematizing our security team and responses. My thanks to 
Tobias for quick review to help finalize the XOrg CVE grafts, to Liliana for 
the pending glibc fix (see <https://issues.guix.gnu.org/66348>) and updating 
curl in preparation for a critical CVE update, and Ludo for getting this 
discussion started.

Here are some quick thoughts/ideas that came up for comment:

- current security email/people can be found here, which is nicely visible 
<https://guix.gnu.org/en/security/> yet probably in need of a hand and new 
faces for an important but often thankless job; no fault to them or Guix as a 
whole, merely a good time to see how we can keep improving

- currently we are not on the OS security distribution contact list: 
<https://oss-security.openwall.org/wiki/mailing-lists/distros>; this had been 
discussed before but we will need commitment from people

- clear roles will be helpful; to me this includes at least a couple of people 
to coordinate (the majority of security issues will be handled through package 
upgrades/grafts) and people to help review and/or contact needed experts, like 
for Guix internal issues; we should make this more precise

- likewise, a clear fixed timeframe for who is on this team; keeping people 
fresh and engaged for what can suddenly be a time sensitive and critical job; I 
think this will also help spread institutional knowledge for better security 
practices in general

- members need not be experts but should be active in the community as 
committers (already a round of vetting), familiar with what issues and 
processes may arise, and willing to learn; perhaps we need a list of experts to 
consult though the current teams are a good starting point

- what are your thoughts? what are the goals and outcomes we as a distro want 
in security?

- finally, I think an internal discussion with maintainers and long time active 
committers would be helpful to get the improvements started and moving, in 
addition to this wider discussion here

And to get things started, I'm happy to volunteer myself to help coordinate on 
security, if deemed okay by our current security team, maintainers, and anyone 
else that's been helping to handle security. A coordinating role with a term of 
say 6 months to a year? Happy to provide more information and discuss here or 
privately; in short I'm not a security expert but have time and bandwidth to 
keep things moving and want to learn.

Thanks everyone, and here's to hoping the spooky season is full of fun and 
candy and less CVEs!

John Kehayias