[Nix-dev] NixOS Security Team

Graham Christensen graham at grahamc.com
Wed Dec 7 01:49:46 CET 2016 

Hello again Nix Users,

I was talking with Domen the other day on IRC about starting the NixOS
Security Team. We agreed we should run it by the mailing list first and
gets some feedback.

Members of this team would:

 - send out security announcements to our new mailing list[0]
 - have their GPG fingerprints on the public website so the
   announcements can be verified
 - potentially receive private security disclosures about the Nix
   ecosystem
 - (hopefully) help with weekly security roundups and bug fixing

Long term, they are likely to be initial candidates for when we're
seeking membership to the oss-security's "distros" list[1], and perhaps
more direct involvement in security roadmap issues[2].

I think it is important that the members of this project have a history
of interest in NixOS's security, and a general history of contributions
to the project.

I nominate the following people:

 - myself obviously, Graham Christensen (grahamc)
 - Daniel Peebles (copumpkin)
 - Domen Kožar (domenkozar)
 - Franz Pletz (fpletz)

For Daniel and Domen, they are both fairly ( ;) ) respectable members of
the community, have a long history of involvement, and both directly
expressed interest on the thread about the "distros" mailing list[1].

For me, well, I think my initiative, consistency, and history speaks for
itself[6,7]. (I also expressed interest in that same "distros"
thread.[3])

For Franz, he is an incredibly consistent partner in the security
roundups, and whose efforts I based the roundups process on.

For Eelco and Rob Vermaas (not listed above,) I don't think they need
nominating, and will be on the team if they want. (I'm assuming they'll
want.)

I haven't asked Daniel, Domen, or Franz if they would like to be
members, so this is obviously pending their acceptance, and the approval
of the community.

Daniel, Domen, Franz, and Community: what do you think? A simple "+1"
would be helpful, even if you have no further feedback.

Eelco, Rob: what do _you_ think?

Thank you,
Graham Christensen

0: http://lists.science.uu.nl/pipermail/nix-dev/2016-November/022207.html
1: https://github.com/NixOS/nixpkgs/issues/14819
2: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-212337290
3: Note that I originally did express interest, but deleted my comments
after [4] because peti was right. See: [5]
4: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-212550422
5: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-213805937
6: https://github.com/NixOS/nixpkgs/search?q=%22Vulnerability+Roundup%22+author%3Agrahamc&type=Issues&utf8=%E2%9C%93
7: https://github.com/NixOS/security

More information about the nix-dev mailing list