[Nix-dev] NixOS Security Team

Wed Dec 7 04:40:23 CET 2016

My 2c: nbp certainly should be nominated ;)

Regarding the proposal — it has to happen sooner or later anyway, and
if someone is willing to start it now, +1!
—
Kindest regards,
¬Σ

On Wed, Dec 7, 2016 at 2:49 AM, Graham Christensen <graham at grahamc.com> wrote:
>
> Hello again Nix Users,
>
> I was talking with Domen the other day on IRC about starting the NixOS
> Security Team. We agreed we should run it by the mailing list first and
> gets some feedback.
>
> Members of this team would:
>
>  - send out security announcements to our new mailing list[0]
>  - have their GPG fingerprints on the public website so the
>    announcements can be verified
>  - potentially receive private security disclosures about the Nix
>    ecosystem
>  - (hopefully) help with weekly security roundups and bug fixing
>
> Long term, they are likely to be initial candidates for when we're
> seeking membership to the oss-security's "distros" list[1], and perhaps
> more direct involvement in security roadmap issues[2].
>
> I think it is important that the members of this project have a history
> of interest in NixOS's security, and a general history of contributions
> to the project.
>
> I nominate the following people:
>
>  - myself obviously, Graham Christensen (grahamc)
>  - Daniel Peebles (copumpkin)
>  - Domen Kožar (domenkozar)
>  - Franz Pletz (fpletz)
>
> For Daniel and Domen, they are both fairly ( ;) ) respectable members of
> the community, have a long history of involvement, and both directly
> expressed interest on the thread about the "distros" mailing list[1].
>
> For me, well, I think my initiative, consistency, and history speaks for
> itself[6,7]. (I also expressed interest in that same "distros"
> thread.[3])
>
> For Franz, he is an incredibly consistent partner in the security
> roundups, and whose efforts I based the roundups process on.
>
> For Eelco and Rob Vermaas (not listed above,) I don't think they need
> nominating, and will be on the team if they want. (I'm assuming they'll
> want.)
>
> I haven't asked Daniel, Domen, or Franz if they would like to be
> members, so this is obviously pending their acceptance, and the approval
> of the community.
>
> Daniel, Domen, Franz, and Community: what do you think? A simple "+1"
> would be helpful, even if you have no further feedback.
>
> Eelco, Rob: what do _you_ think?
>
> Thank you,
> Graham Christensen
>
> 0: http://lists.science.uu.nl/pipermail/nix-dev/2016-November/022207.html
> 1: https://github.com/NixOS/nixpkgs/issues/14819
> 2: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-212337290
> 3: Note that I originally did express interest, but deleted my comments
> after [4] because peti was right. See: [5]
> 4: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-212550422
> 5: https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-213805937
> 6: https://github.com/NixOS/nixpkgs/search?q=%22Vulnerability+Roundup%22+author%3Agrahamc&type=Issues&utf8=%E2%9C%93
> 7: https://github.com/NixOS/security
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev