[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Call for volunteer(s) for Guix "security" web page

From: Ludovic Courtès
Subject: Re: Call for volunteer(s) for Guix "security" web page
Date: Tue, 27 Sep 2016 10:58:09 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hi Leo,

Thanks a lot both for sending the call and replying to it!  :-)

> From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Sun, 25 Sep 2016 18:43:28 -0400
> Subject: [PATCH] www: security: New page.
> * website/www/security.scm: New file.
> * website/www.scm (%web-pages): Add security-page.
> * website/www/shared.scm (html-page-links): Add "Security".


> +               (h2 "How to report security issues")
> +               (p "To report sensitive security issues in Guix itself or the 
> packages it "
> +                  "provides, you can write to the private mailing list "
> +                  (a (@ (href 
> "";))
> +                     ("address@hidden"))
> +                     ".  This list is monitored by a small team of Guix "
> +                     "developers.")
> +               (h2 "Release signatures")
> +               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
> +                  "key with the fingerprint "
> +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> +                  "This key can be obtained from XXX.")

Maybe link to
or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
command that uses the full fingerprint instead of just the 64-bit ID
(which is still too small, some say.)

> +               (h2 "Security updates")
> +               (p "When security vulnerabilities are found in Guix or the "
> +                  "packages provided by Guix, we will provide "
> +                  (a (@ (href ,(base-url 
> "manual/html_node/Security-Updates.html")))
> +                     "security updates")
> +                  " quickly and with minimal disruption for users.")

Maybe also that Guix is a “rolling release”, so there’s currently no
separate security-fix branch and all critical fixes go to master?

I guess you can already commit that!

I wonder if it would make sense to add a note on reproducible builds,
‘guix challenge’ and all that; later maybe!

Note that you’ll then need to commit the resulting HTML to CVS(!) to
that the update pages show up, as per the instructions available on the
Savannah project page.  If you’re unsure or anything, I can do that.

Thank you!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]