Re: Upgrading Guix's security team

[Ludovic Courtès]

Hi John,

Looks like this message was left unanswered for more than a month, which
proves you have a point!

John Kehayias <john.kehayias@protonmail.com> skribis:

> - current security email/people can be found here, which is nicely
> visible <https://guix.gnu.org/en/security/> yet probably in need of a
> hand and new faces for an important but often thankless job; no fault
> to them or Guix as a whole, merely a good time to see how we can keep
> improving

Yes, we definitely need a rotation here!  I for one have my name there
but regardless of my interest, I have to admit that I’ve been unable to
be sufficiently responsive.  It’s time to let new folks take
responsibility.

I think we should make this a fixed-term position, to make it easier for
people to commit to actually being active when needed, with the
understanding that it’s not a commitment for life.

> - currently we are not on the OS security distribution contact list:
> <https://oss-security.openwall.org/wiki/mailing-lists/distros>; this
> had been discussed before but we will need commitment from people
>
> - clear roles will be helpful; to me this includes at least a couple
> of people to coordinate (the majority of security issues will be
> handled through package upgrades/grafts) and people to help review
> and/or contact needed experts, like for Guix internal issues; we
> should make this more precise

We could distinguish security issues in packages provided by Guix from
security issues in Guix itself.

That said, the security team could redirect things to members of the
“core” team for security issues in Guix itself; maybe we don’t need to
formally separate the two.

> - likewise, a clear fixed timeframe for who is on this team; keeping
> people fresh and engaged for what can suddenly be a time sensitive and
> critical job; I think this will also help spread institutional
> knowledge for better security practices in general

+1!

> - members need not be experts but should be active in the community as
> committers (already a round of vetting), familiar with what issues and
> processes may arise, and willing to learn; perhaps we need a list of
> experts to consult though the current teams are a good starting point

+1

> - what are your thoughts? what are the goals and outcomes we as a
> distro want in security?
>
> - finally, I think an internal discussion with maintainers and long
> time active committers would be helpful to get the improvements
> started and moving, in addition to this wider discussion here
>
> And to get things started, I'm happy to volunteer myself to help
> coordinate on security, if deemed okay by our current security team,
> maintainers, and anyone else that's been helping to handle security. A
> coordinating role with a term of say 6 months to a year? Happy to
> provide more information and discuss here or privately; in short I'm
> not a security expert but have time and bandwidth to keep things
> moving and want to learn.

Thank you for getting the ball moving!

I’m all for having you on board and, to set an example, to leave as you
join.

If maintainers agree (Cc’d), I invite you to add your name and a
termination date to the security page, remove my name, and subscribe to
guix-security.  We should add a term for other people on the team too.

How does that sound?

Ludo’.