Re: Call for volunteer(s) for Guix "security" web page

[Leo Famulari]

On Tue, Sep 27, 2016 at 10:58:09AM +0200, Ludovic Courtès wrote:
> > +               (h2 "Release signatures")
> > +               (p "Releases of Guix and GuixSD are signed using the 
> > OpenPGP "
> > +                  "key with the fingerprint "
> > +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> > +                  "This key can be obtained from XXX.")
> 
> Maybe link to
> <https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html>
> or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
> command that uses the full fingerprint instead of just the 64-bit ID
> (which is still too small, some say.)
> 
> > +               (h2 "Security updates")
> > +               (p "When security vulnerabilities are found in Guix or the "
> > +                  "packages provided by Guix, we will provide "
> > +                  (a (@ (href ,(base-url 
> > "manual/html_node/Security-Updates.html")))
> > +                     "security updates")
> > +                  " quickly and with minimal disruption for users.")
> 
> Maybe also that Guix is a “rolling release”, so there’s currently no
> separate security-fix branch and all critical fixes go to master?

I tried to implement these suggestion in the attached patch.

> I wonder if it would make sense to add a note on reproducible builds,
> ‘guix challenge’ and all that; later maybe!

Yes, later. Volunteers still welcome :)

> Note that you’ll then need to commit the resulting HTML to CVS(!) to
> that the update pages show up, as per the instructions available on the
> Savannah project page.  If you’re unsure or anything, I can do that.

I'll try it if this new patch is okay.

0001-www-security-New-page.patch
Description: Text document

signature.asc
Description: PGP signature