diff mbox

Call for volunteer(s) for Guix "security" web page

Message ID 20160925225248.GA13131@jasmine
State New
Headers show

Commit Message

Leo Famulari Sept. 25, 2016, 10:52 p.m. UTC
On Fri, Sep 16, 2016 at 12:14:58PM -0400, Leo Famulari wrote:
> Hello!
> 
> GNU Guix should make it easier for bug reporters to contact us to report
> issues in Guix and Guix packages.
> 
> So, we'd like to add a short "Security" page to our web site [0]. This
> page should:
> 
> 1) Explain how to contact us privately about security issues [1],
> 
> 2) Describe the Guix release signing key [2],
> 
> 3) And include a link to the security updates section of the manual [3].

I've attached my first draft of this page. This patch is for
guix-artwork.git.

Please give me your feedback.

I'm specifically unsure of what to say about the signing key. Should we
recommend that users get it from a certain place? Should we provide the
public key itself on this page?
From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 25 Sep 2016 18:43:28 -0400
Subject: [PATCH] www: security: New page.

* website/www/security.scm: New file.
* website/www.scm (%web-pages): Add security-page.
* website/www/shared.scm (html-page-links): Add "Security".
---
 website/www.scm          |  2 ++
 website/www/security.scm | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
 website/www/shared.scm   |  1 +
 3 files changed, 52 insertions(+)
 create mode 100644 website/www/security.scm

Comments

Ludovic Courtès Sept. 27, 2016, 8:58 a.m. UTC | #1
Hi Leo,

Thanks a lot both for sending the call and replying to it!  :-)

> From 30699a5a8de5ac09c6fbba93be6b88a1d77bc039 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Sun, 25 Sep 2016 18:43:28 -0400
> Subject: [PATCH] www: security: New page.
>
> * website/www/security.scm: New file.
> * website/www.scm (%web-pages): Add security-page.
> * website/www/shared.scm (html-page-links): Add "Security".

[...]

> +               (h2 "How to report security issues")
> +               (p "To report sensitive security issues in Guix itself or the packages it "
> +                  "provides, you can write to the private mailing list "
> +                  (a (@ (href "https://lists.gnu.org/mailman/listinfo/guix-security"))
> +                     ("guix-security@gnu.org"))
> +                     ".  This list is monitored by a small team of Guix "
> +                     "developers.")
> +               (h2 "Release signatures")
> +               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
> +                  "key with the fingerprint "
> +                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
> +                  "This key can be obtained from XXX.")

Maybe link to
<https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html>
or copy/paste the text?  Though we should give a ‘gpg --recv-keys’
command that uses the full fingerprint instead of just the 64-bit ID
(which is still too small, some say.)

> +               (h2 "Security updates")
> +               (p "When security vulnerabilities are found in Guix or the "
> +                  "packages provided by Guix, we will provide "
> +                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
> +                     "security updates")
> +                  " quickly and with minimal disruption for users.")

Maybe also that Guix is a “rolling release”, so there’s currently no
separate security-fix branch and all critical fixes go to master?

I guess you can already commit that!

I wonder if it would make sense to add a note on reproducible builds,
‘guix challenge’ and all that; later maybe!

Note that you’ll then need to commit the resulting HTML to CVS(!) to
that the update pages show up, as per the instructions available on the
Savannah project page.  If you’re unsure or anything, I can do that.

Thank you!

Ludo’.
diff mbox

Patch

diff --git a/website/www.scm b/website/www.scm
index f0465eb..244830b 100644
--- a/website/www.scm
+++ b/website/www.scm
@@ -28,6 +28,7 @@ 
   #:use-module (www about)
   #:use-module (www contribute)
   #:use-module (www help)
+  #:use-module (www security)
   #:use-module (sxml simple)
   #:use-module (sxml match)
   #:use-module (web client)
@@ -335,6 +336,7 @@  Distribution.")
     ("donate/index.html" ,donate-page)
     ("download/index.html" ,download-page)
     ("help/index.html" ,help-page)
+    ("security/index.html" ,security-page)
     ;; ("packages/index.html" ,packages-page) ; Need Guix
     ;; ("packages/issues.html" ,issues-page)
     ))
diff --git a/website/www/security.scm b/website/www/security.scm
new file mode 100644
index 0000000..09e9748
--- /dev/null
+++ b/website/www/security.scm
@@ -0,0 +1,49 @@ 
+;;; GuixSD website --- GNU's advanced distro website
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;;
+;;; This file is part of GuixSD website.
+;;;
+;;; GuixSD website is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU Affero General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GuixSD website is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU Affero General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU Affero General Public License
+;;; along with GuixSD website.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (www security)
+  #:use-module (www utils)
+  #:use-module (www shared)
+  #:export (security-page))
+
+(define (security-page)
+  `(html (@ (lang "en"))
+         ,(html-page-header "Security")
+         ,(html-page-links)
+         (div (@ (id "content-box"))
+              (article
+               (h1 "Security")
+               (h2 "How to report security issues")
+               (p "To report sensitive security issues in Guix itself or the packages it "
+                  "provides, you can write to the private mailing list "
+                  (a (@ (href "https://lists.gnu.org/mailman/listinfo/guix-security"))
+                     ("guix-security@gnu.org"))
+                     ".  This list is monitored by a small team of Guix "
+                     "developers.")
+               (h2 "Release signatures")
+               (p "Releases of Guix and GuixSD are signed using the OpenPGP "
+                  "key with the fingerprint "
+                  "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5.  "
+                  "This key can be obtained from XXX.")
+               (h2 "Security updates")
+               (p "When security vulnerabilities are found in Guix or the "
+                  "packages provided by Guix, we will provide "
+                  (a (@ (href ,(base-url "manual/html_node/Security-Updates.html")))
+                     "security updates")
+                  " quickly and with minimal disruption for users.")
+               ,(html-page-footer)))))
diff --git a/website/www/shared.scm b/website/www/shared.scm
index ed864ef..04be0f4 100644
--- a/website/www/shared.scm
+++ b/website/www/shared.scm
@@ -88,6 +88,7 @@  Functional package management,")))
 	    ;; Note: valid only if `packages-page' is exported.
 	    (li (a (@ (href ,(base-url "packages"))) "Packages"))
 	    (li (a (@ (href ,(base-url "help"))) "Help"))
+	    (li (a (@ (href ,(base-url "security"))) "Security"))
 	    (li (a (@ (href ,(base-url "contribute"))) "Contribute"))
 	    (li (a (@ (href ,(base-url "donate"))) "Donate"))
 	    (li (a (@ (href ,(base-url "about"))) "About")))))