John Kehayias via "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org> writes:
>> Yes, most distributions have a special security point of contact that is >> not publicly archived, to discuss ways to resolve responsible disclosure >> vulnerabilities for example. Seeing some progress on this has been one >> blocker for me to increase dependence on Guix for production systems. >> The process doesn't have to work perfect (I don't think anyone would >> suggest Debian/Fedora/Ubuntu/RHEL/etc handle security bugs perfect >> either), but one important step is for the process to exist. > > Simon, do you mean there has or has not been progress? As I noted above, > we do have a private security list for such things though the vast > majority of CVEs tend to be for older packages we have that need to be > updated. Issues specific to Guix do get emailed out and posted on the > website when they are fixed/disclosed. I was seriously out of date with my comment, and I apologize for making it appear like Guix doesn't have the processes and even a well written document on exactly what I was looking for: https://guix.gnu.org/en/security/ However, if I still may make a suggestions (or perhaps rhetorically ask a question), what I think is still lacking is the kind of security announcements like Debian and Ubuntu has: https://lists.debian.org/debian-security-announce/2025/threads.html https://lists.ubuntu.com/archives/ubuntu-security-announce/2025-April/thread.html These are regular day-to-day security announcements, which seems more light-weight than the more Guix-specific security advisories: https://guix.gnu.org/en/blog/tags/security-advisory/ I think a Guix security team have at least two different tasks: 1) Answer privately about any security coordination needed, especially about Guix-specific problems. 2) Work on updating packages in Guix with known security issues, wether publicly or not. Comparing with Debian, that security team also works to actually publish updates of packages when external events happen. For example, comparing with the debian-security-announce list, who is tasked with noticing and making a package update of the 'atop' tool for this problem? https://www.openwall.com/lists/oss-security/2025/03/29/1 For me, I would like to see a distribution I use for production use to have a track record of say 1 year of publicly acknowledging and announcing fixes to various world events around it. Otherwise it feels quite opaque to trust it, how am I to know if very common security problems are patched or not? Of course, for each and every particular issue, I can research the Guix git history. But that's not what I am looking for: instead I'd like to see some continous mailing list or RSS flow with security fixes that a Guix security team is monitoring and applying. I am now waiting for another link to some already existing guix.gnu.org webpage that make my request feel very embarrassing :) /Simon
signature.asc
Description: PGP signature
