[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Upgrading Guix's security team
From: |
Maxim Cournoyer |
Subject: |
Re: Upgrading Guix's security team |
Date: |
Fri, 17 Nov 2023 23:31:41 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
[...]
> Yes, we definitely need a rotation here! I for one have my name there
> but regardless of my interest, I have to admit that I’ve been unable to
> be sufficiently responsive. It’s time to let new folks take
> responsibility.
>
> I think we should make this a fixed-term position, to make it easier for
> people to commit to actually being active when needed, with the
> understanding that it’s not a commitment for life.
>
>> - currently we are not on the OS security distribution contact list:
>> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
>> had been discussed before but we will need commitment from people
>>
>> - clear roles will be helpful; to me this includes at least a couple
>> of people to coordinate (the majority of security issues will be
>> handled through package upgrades/grafts) and people to help review
>> and/or contact needed experts, like for Guix internal issues; we
>> should make this more precise
>
> We could distinguish security issues in packages provided by Guix from
> security issues in Guix itself.
>
> That said, the security team could redirect things to members of the
> “core” team for security issues in Guix itself; maybe we don’t need to
> formally separate the two.
>
>> - likewise, a clear fixed timeframe for who is on this team; keeping
>> people fresh and engaged for what can suddenly be a time sensitive and
>> critical job; I think this will also help spread institutional
>> knowledge for better security practices in general
>
> +1!
>
>> - members need not be experts but should be active in the community as
>> committers (already a round of vetting), familiar with what issues and
>> processes may arise, and willing to learn; perhaps we need a list of
>> experts to consult though the current teams are a good starting point
>
> +1
>
>> - what are your thoughts? what are the goals and outcomes we as a
>> distro want in security?
>>
>> - finally, I think an internal discussion with maintainers and long
>> time active committers would be helpful to get the improvements
>> started and moving, in addition to this wider discussion here
>>
>> And to get things started, I'm happy to volunteer myself to help
>> coordinate on security, if deemed okay by our current security team,
>> maintainers, and anyone else that's been helping to handle security. A
>> coordinating role with a term of say 6 months to a year? Happy to
>> provide more information and discuss here or privately; in short I'm
>> not a security expert but have time and bandwidth to keep things
>> moving and want to learn.
>
> Thank you for getting the ball moving!
>
> I’m all for having you on board and, to set an example, to leave as you
> join.
>
> If maintainers agree (Cc’d), I invite you to add your name and a
> termination date to the security page, remove my name, and subscribe to
> guix-security. We should add a term for other people on the team too.
>
> How does that sound?
Sounds good to me!
--
Thanks,
Maxim