Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security page #1573

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add security page #1573

wants to merge 2 commits into from

Conversation

crertel
Copy link
Contributor

@crertel crertel commented Nov 5, 2024

This PR is to start a discussion and hopefully get us an easy-to-find and short but useful security page.

image

I don't know what should go in these sections, so I need comment from @fricklerhandwerk @tomberek @NixOS/security and I guess whoever else knows about these things.

My thinking is that if you hit the front page with a question about security that a) there should be something on the navbar right there about security (since, you know, we are trying to take it seriously) and b) clicking on that should take you to a page with clear, actionable instructions to either get you submitting your concern or answering your likely question in short order. This PR gets us in a position to do that.

@crertel
Copy link
Contributor Author

crertel commented Nov 5, 2024

Do we not have a [email protected] or similar alias?

@LeSuisse
Copy link
Contributor

LeSuisse commented Nov 5, 2024

Hello,

Currently there is a Security link in the footer linking to https://nixos.org/community/teams/security/ providing information to privately report security issue. We get some notifications regularly so this process is already mostly working.

Do we need another page?

Do we not have a [email protected] or similar alias?

A mailing list exists with our 3 emails, I'm however not entirely sure how it is managed.

@mweinelt
Copy link
Member

mweinelt commented Nov 6, 2024

Managed by the infra team.

@crertel
Copy link
Contributor Author

crertel commented Nov 6, 2024

@LeSuisse:

Do we need another page?

So, this is why I've got the strawman up. I think the team page is good for telling about the team, but in terms of getting people the information or next steps they need to file a report it's kinda rough. The optics are that we in recent memory had at least one large dropped ball, and it'd probably help to make it painfully obvious that we take security seriously and have changed something as we improve our processes from that dropped ball.

It may well be that we just need to change that page and perhaps link to it more prominently; I'm just spitballing here and getting feedback.

@mweinelt:

Managed by the infra team.

So, do we currently have that alias ([email protected]) pointing at that mailing list? If so, does that mailing list include the current security team? If it doesn't, how hard would it be to add them to it--and if they don't want to be added, is there some other thing that would make more sense?

@tomberek
Copy link
Contributor

tomberek commented Nov 7, 2024

Conceptually seems reasonable. I'd expect the content should be driven by the Security team as well as deciding if they want this change. It would give them more visibility to communicate issues and for people to communicate with them.

@crertel
Copy link
Contributor Author

crertel commented Nov 20, 2024

@mweinelt @NixOS/security just bumping this...do we have a security@ alias and does it point at the current security folks? I checked the infra repo and didn't see an obvious definition, and it's unclear to me if the mailing list exists in the normal sense or in the "there is some mailing list under some alias somewhere" sense.

@fricklerhandwerk
Copy link
Contributor

Maybe also @jfly who has been touching the mail server recently?

@mweinelt
Copy link
Member

We do maintain a security@ alias.

@jfly
Copy link

jfly commented Nov 20, 2024

@crertel, we currently use ImprovMX to manage the security@ alias/list. We're planning to move to a self hosted alternative, which is tracked by NixOS/infra#485.

do we have a security@ alias and does it point at the current security folks?

I don't know have access to ImprovMX, so I can't confirm this. Perhaps @mweinelt or @Mic92 could?

@crertel
Copy link
Contributor Author

crertel commented Nov 21, 2024

Okay, that's awesome! Is there someplace in the footer or wherever we could add [email protected] while we're figuring out if we want to do the rest of this?

@tomberek
Copy link
Contributor

@mweinelt Can you help fill in the content portions of the PR?

@Mic92
Copy link
Member

Mic92 commented Nov 22, 2024

risicle and tgerbet and hexa receive security@ so this is up-to-date.
Is there any more information needed @tomberek ?

@tomberek
Copy link
Contributor

tomberek commented Nov 23, 2024

I mean this: https://github.com/NixOS/nixos-homepage/pull/1573/files#diff-fc516bcf6f7500940e2fe9a73c1a4ace1f7b74f009c6e6872a032a66d9061979R29

          <li>1. Do this.</li>
          <li>2. Then do this.</li>
          <li>1. This happens.</li>
          <li>2. Then this happens.</li>
          <li>3. Finally this happens.</li>

@mweinelt
Copy link
Member

mweinelt commented Nov 23, 2024

I'd much rather the author did research prior art and came up with a proposal that we could iterate on. Otherwise it shifts too much of the work onto me.

E-Mail is currently our primrary reporting pipeline, see https://nixos.org/community/teams/security/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants