[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding a section about security in the guix manual
From: |
Ricardo Wurmus |
Subject: |
Re: Adding a section about security in the guix manual |
Date: |
Fri, 11 Jan 2019 06:04:44 +0100 |
User-agent: |
mu4e 1.0; emacs 26.1 |
Leo Famulari <address@hidden> writes:
> On Wed, Jan 09, 2019 at 09:52:53AM -0500, Joshua Branson wrote:
>> Perhaps I would put it right after GNU Distribution > System
>> Configuration. Perhaps I would call that section "Hardening
>> Recommendations". Some of the things that I want to include are strong
>> passwords, encrypted drives, MAC, kernel hardening (which we currently
>> don't have a linux-libre-hardened do we?), sandboxing applications,
>> firewalls, and physical security. I may not be able to complete this
>> project swiftly, but I do intend to put it on my TODO list.
>
> I think the manual should include things that are specific to Guix, or
> that explain how to do generic things (like encrypted storage) in a
> Guix-y way. There are a lot of ways the manual (and GuixSD itself) could
> be improved in this regard.
>
> I'm less enthusiastic about including things that are basically
> universal concerns, like password strength or physical security.
I agree.
I’d also like to add that a section on MAC via SELinux would be
challenging to write because one would probably first need to develop
a few system services to better support SELinux.
The same goes for hardening, which would need probably require build
system support.
Sandboxing, on the other hand, could get a section already, as this is
made simpler with “guix environment --container” or “guix container”.
Let’s aim for something slightly less ambitious and add sections on
features that already exist.
--
Ricardo