guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU30 Security Hackathon


From: Ludovic Courtès
Subject: Re: GNU30 Security Hackathon
Date: Thu, 12 Sep 2013 14:39:37 +0200
User-agent: Gnus/5.130007 (Ma Gnus v0.7) Emacs/24.3 (gnu/linux)

Hello,

hellekin <address@hidden> skribis:

> My objective with this email is to gather a list of suggestions as to
> where to put the effort on your various projects, in order to make it
> more convenient for them to choose. I'm willing to gather
> security-related bugs that they can look into and fix over a period of
> 3 days (obviously not full time), or ideas for useful tools related to
> privacy or security.

This sounds like a great initiative.

For Guix, a bug that we have is that pre-built binaries downloaded from
hydra.gnu.org are not cryptographically signed.  Note that, unlike most
other distros, binaries are not uploaded manually by the package
maintainer; instead, the build farm at hydra.gnu.org just builds all the
packages using recipes from the Guix repo, and publishes the binaries
over HTTP.

So the fix is twofold: first Hydra (the software behind hydra.gnu.org)
needs to be modified to produce and publish digital signatures; second
Guix’s “substituter” (the program that fetches pre-built binaries) needs
to actually fetch those signatures and check against them.

Ways to do it have been discussed before:

  http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html
  http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html

I think the task could fit the kind of hackathon you describe.
Technically Hydra is written in Perl, and Guix is written in Scheme.
Guix is a GNU package; Hydra is not, and Guix is not its only user.

It’s unlikely that Guix hackers will be physically present, but
hopefully you can find someone on #guix on Freenode!

Thanks,
Ludo’.

Attachment: pgpojDB7I6Z_9.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]