On 2025-04-04 23:51, Simon Josefsson via "Development of GNU Guix and the GNU System distribution." wrote:
> I think a Guix security team have at least two different tasks: > > 1) Answer privately about any security coordination needed, especially > about Guix-specific problems. So this one seems in place IIRC. > 2) Work on updating packages in Guix with known security issues, wether > publicly or not. My main concern was indeed this second task. > Comparing with Debian, that security team also works to actually publish > updates of packages when external events happen. For example, comparing > with the debian-security-announce list, who is tasked with noticing and > making a package update of the 'atop' tool for this problem? > > https://www.openwall.com/lists/oss-security/2025/03/29/1 > > For me, I would like to see a distribution I use for production use to > have a track record of say 1 year of publicly acknowledging and > announcing fixes to various world events around it. Otherwise it feels > quite opaque to trust it, how am I to know if very common security > problems are patched or not? I agree this is an important point to address for any distribution to consider using in real-life scenarii. > Of course, for each and every particular > issue, I can research the Guix git history. But that's not what I am > looking for: instead I'd like to see some continous mailing list or RSS > flow with security fixes that a Guix security team is monitoring and > applying. -- Best regards, Nicolas Graves
