1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
* Aims
With this project, I'd aim to work on the following areas:
** As a project, monitoring security issues in GNU Guix
Currently, there's some tooling (guix lint --checker=cve) to look at
CVE's relevant to packages, but I'm not aware of any automated way to
track and monitor for potential security issues in packages.
I want to build on the existing tooling, making it easy for anyone to
see what security issues affect what Guix packages, across various
revisions of Guix.
** As a user of GNU Guix, monitoring and checking for security issues
As a user of Guix, there's also a lack of tooling to discover known
security issues in the software provided through Guix.
I want to develop the relevant tooling so that users can easily find
and monitor for security issues that specifically affect them.
** Improve the patch review process to help guard against malicious code
When contributors are reviewing changes, it could be easier to look at
the upstream changes, and perform some checking to guard against
malicious code being distributed.
At the moment, there's very little support for doing this when
reviewing patches for Guix, this isn't a challenge that needs to be
completely solved, but definitely an area where value can be added.
* Tasks
** Perform initial community inquiry
As a community run free software project, this is especially
important. Lots of people are more involved with these areas than me,
so it's important to reach out to them and involve them in the work
I'm planning.
Milestones:
- Thread on the guix-devel mailing list about this project
- Findings from the inquiry posted to the guix-devel mailing list
** Implement initial improvements in and around the Guix Data Service
The Guix Data Service stores data about Guix, but it's not currently
aware of grafts, which are an approach often used to provide security
fixes to users. For the Guix Data Service to provide accurate data on
potential security issues, it needs to be aware of grafts, so that it
has accurate data on what packages are present at what verisons in
specific revisions.
Additionally, a long planned feature of the Guix Data Service is to be
able to subscribe to particular pages/bits of data, and get
notifications when they change. This is an important component of
using the Guix Data Service to review patches, and I see it playing an
important part of responding to security issues as well.
Milestones;
- The Guix Data Service stores when packages are replaced, including
details about the replacement
- This information is available through the web interface
- Users can create subscriptions to data in the Guix Data Service
(not all data, but at least one bit of data)
** Implement security data support in the Guix Data Service
This is part of getting tooling in place so that security related
issues in GNU Guix can be more methodically monitoried.
Milestones:
- Research data sources
- Support storing and fetching/receiving this data
- Add support for considering this data when comparing revisions
** Setup project focused security monitoring and issue tracking
There's currently some tooling for monitoring and tracking security
issues, but I think there's lots of room for improvement. Making
security issues more visible should mean addressing them is easier and
happens faster.
Milestones:
- Research and plan tooling implementation
- Implement and document tooling
** Research and implement user security monitoring tooling
As a user of Guix, you might want to be able to check the security
status of the software you're using, or get notifications when that
changes. This subtask looks at this area.
Milestones:
- Research done regarding approach and user needs
- Implement and document tooling
** Prototype adding source diffing to the patch review tooling
Making it easy to review changes to package source materials may help
patch submitters and reviewers spot security issues before they get in
to Guix.
Milestones:
- Research approaches
- Implement prototype
- Publish results
** Prototype adding automated scanning to the patch review tooling
Reviewing source material changes with software may be a useful
approach to highlighing suspicious changes for more manual review,
this subtask will look at prototyping this.
Milestones:
- Research approach and available tooling
- Implement prototype
- Publish results
** Prototype adding automated signature checks to patch review tooling
Guix can be seen as a compoent in a software “supply chain”, and there
may be approaches that allow verification or corroberation of the
materials coming in on this “supply chain” to Guix, which in turn
improves the security of Guix for it's users.
Milestones:
- Research done regarding approach
- Implement prototype
- Publish results
* Links
** NLNet page
https://nlnet.nl/project/GUIX-securitytracking/
|