aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristopher Baines <mail@cbaines.net>2021-04-03 10:46:29 +0100
committerChristopher Baines <mail@cbaines.net>2021-04-03 10:46:34 +0100
commitefc574bfb04fd4c6301ca4f63c8fb7e2b07ccd6a (patch)
tree87188d145be65eed249949f2ef526ea521554871
downloadtooling-to-improve-security-and-trust-efc574bfb04fd4c6301ca4f63c8fb7e2b07ccd6a.tar
tooling-to-improve-security-and-trust-efc574bfb04fd4c6301ca4f63c8fb7e2b07ccd6a.tar.gz
Initial commit
-rw-r--r--README.org139
1 files changed, 139 insertions, 0 deletions
diff --git a/README.org b/README.org
new file mode 100644
index 0000000..66b5f71
--- /dev/null
+++ b/README.org
@@ -0,0 +1,139 @@
+* Aims
+
+With this project, I'd aim to work on the following areas:
+
+** As a project, monitoring security issues in GNU Guix
+
+Currently, there's some tooling (guix lint --checker=cve) to look at
+CVE's relevant to packages, but I'm not aware of any automated way to
+track and monitor for potential security issues in packages.
+
+I want to build on the existing tooling, making it easy for anyone to
+see what security issues affect what Guix packages, across various
+revisions of Guix.
+
+** As a user of GNU Guix, monitoring and checking for security issues
+
+As a user of Guix, there's also a lack of tooling to discover known
+security issues in the software provided through Guix.
+
+I want to develop the relevant tooling so that users can easily find
+and monitor for security issues that specifically affect them.
+
+** Improve the patch review process to help guard against malicious code
+
+When contributors are reviewing changes, it could be easier to look at
+the upstream changes, and perform some checking to guard against
+malicious code being distributed.
+
+At the moment, there's very little support for doing this when
+reviewing patches for Guix, this isn't a challenge that needs to be
+completely solved, but definitely an area where value can be added.
+
+* Tasks
+
+** Perform initial community inquiry
+
+As a community run free software project, this is especially
+important. Lots of people are more involved with these areas than me,
+so it’s important to reach out to them and involve them in the work
+I’m planning.
+
+Milestones:
+
+ - Thread on the guix-devel mailing list about this project
+ - Findings from the inquiry posted to the guix-devel mailing list
+
+** Implement initial improvements in and around the Guix Data Service
+
+The Guix Data Service stores data about Guix, but it’s not currently
+aware of grafts, which are an approach often used to provide security
+fixes to users. For the Guix Data Service to provide accurate data on
+potential security issues, it needs to be aware of grafts, so that it
+has accurate data on what packages are present at what verisons in
+specific revisions.
+
+Additionally, a long planned feature of the Guix Data Service is to be
+able to subscribe to particular pages/bits of data, and get
+notifications when they change. This is an important component of
+using the Guix Data Service to review patches, and I see it playing an
+important part of responding to security issues as well.
+
+Milestones;
+
+ - The Guix Data Service stores when packages are replaced, including
+ details about the replacement
+ - This information is available through the web interface
+ - Users can create subscriptions to data in the Guix Data Service
+ (not all data, but at least one bit of data)
+
+** Implement security data support in the Guix Data Service
+
+This is part of getting tooling in place so that security related
+issues in GNU Guix can be more methodically monitoried.
+
+Milestones:
+
+ - Research data sources
+ - Support storing and fetching/receiving this data
+ - Add support for considering this data when comparing revisions
+
+** Setup project focused security monitoring and issue tracking
+
+There’s currently some tooling for monitoring and tracking security
+issues, but I think there’s lots of room for improvement. Making
+security issues more visible should mean addressing them is easier and
+happens faster.
+
+Milestones:
+
+ - Research and plan tooling implementation
+ - Implement and document tooling
+
+** Research and implement user security monitoring tooling
+
+As a user of Guix, you might want to be able to check the security
+status of the software you’re using, or get notifications when that
+changes. This subtask looks at this area.
+
+Milestones:
+
+ - Research done regarding approach and user needs
+ - Implement and document tooling
+
+** Prototype adding source diffing to the patch review tooling
+
+Making it easy to review changes to package source materials may help
+patch submitters and reviewers spot security issues before they get in
+to Guix.
+
+Milestones:
+
+ - Research approaches
+ - Implement prototype
+ - Publish results
+
+** Prototype adding automated scanning to the patch review tooling
+
+Reviewing source material changes with software may be a useful
+approach to highlighing suspicious changes for more manual review,
+this subtask will look at prototyping this.
+
+Milestones:
+
+ - Research approach and available tooling
+ - Implement prototype
+ - Publish results
+
+** Prototype adding automated signature checks to patch review tooling
+
+Guix can be seen as a compoent in a software “supply chain”, and there
+may be approaches that allow verification or corroberation of the
+materials coming in on this “supply chain” to Guix, which in turn
+improves the security of Guix for it’s users.
+
+Milestones:
+
+ - Research done regarding approach
+ - Implement prototype
+ - Publish results