!tPxtoBdChSsxHuBlNW:nixos.org

NixOS Marketing

220 Members
NixOS website + marketing team: https://nixos.org/community/teams/marketing.html48 Servers

Load older messages

SenderMessageTime
27 Nov 2024
@hexa:lossy.networkhexaimplementing well-known security is what is currently missing01:40:16
@hexa:lossy.networkhexahttps://en.wikipedia.org/wiki/Security.txt01:41:03
@hexa:lossy.networkhexahttps://datatracker.ietf.org/doc/html/rfc911601:41:15
@hexa:lossy.networkhexayou kinda went in without a concrete plan01:41:41
@hexa:lossy.networkhexaprior art was linked early on and not acted upon01:42:01
@crertel:matrix.orgcrertelI was asking for a plan, and the information you just gave me--which would've been helpful to have on a comment on that PR--is a big help. Thank you!01:42:05
@crertel:matrix.orgcrertel

There's another philosophical question which is: would it be a good idea to put security right on the navbar? My personal bet is yes, because:

  • there was a semi-high-profile kerfluffle earlier this year and not having an obvious single touchpoint seems to have hurt there.
  • more generally (outside of internal NixOS stuff), one of the hugely useful things about using NixOS is supply chain integrity and other things of interest to security-conscious users.
01:45:33
@hexa:lossy.networkhexa

there was a semi-high-profile kerfluffle earlier this year and not having an obvious single touchpoint seems to have hurt there.

Uh … what?

01:46:31
@hexa:lossy.networkhexaI don't mind whether it is down there or up there, but the start page mentions security a bit too much01:47:15
@hexa:lossy.networkhexaimage.png
Download image.png		01:47:18
@hexa:lossy.networkhexamoving it up would improve the tab order01:47:36
@crertel:matrix.orgcrertelSure, and we could probably stand to ditch a tab or two as well...it is a little busy.01:48:02
@crertel:matrix.orgcrertel(and again, I'm not wed to this, just kicking around an idea)01:48:19
@avocadoom:avocadoom.dethilobillerbeck (avocadoom)Hmmm, at some point we maybe should consider some kind of drop down menu for the main nav, otherwise this would clog up a lot01:49:01
@crertel:matrix.orgcrertelimage.png
Download image.png		01:49:27
@crertel:matrix.orgcrertelso that's what we have right now01:49:31
@avocadoom:avocadoom.dethilobillerbeck (avocadoom)Yup01:51:25
@crertel:matrix.orgcrertel
  • download seems important since it's where you get nixos
  • values seems important given the last year...after things settle down maybe it could be moved
  • community...lots of important stuff there but it's all bunched together (and another PR I put out there to answer somebody's idea would split it into yet another tab, teams)
  • blog refers to something that changes...maybe every couple of months?
  • donate is important because money
  • explore...is a whole thing and I'm not sure learn doesn't already encompass it
01:52:07
@crertel:matrix.orgcrerteland like, I know folks put effort into these pages at one time or another, so I don't want to just bulldoze that01:52:29
@crertel:matrix.orgcrertelbut uh, there's some prime real estate that could probably use redevelopment01:52:42
@crertel:matrix.orgcrertel

back to the security thing, my issues with the current team page are basically:

  • it currently reads as "here's information about the security thing", instead of a more directly actionable "if you want to do x, go to y; if you want report z, email w"
  • it currently suggests that private reports should go directly to humans (instead of an email alias), which has the obvious problems of "what happens if the human selected is slow to respond for whatever reason?", "what happens if the second person is slow to respond?", "what record exists outside of their email account that yes, indeed, somebody did report an issue?"
  • having three different places to look for security is suboptimal--security tends not to be partition tolerant, and if I can't find what I need in the first two places why am I going to spend time on a third?

Of these, the easiest fix is the first--the second requires a bit more coordination and the third would be a big change over on the security team I think. So, I was just trying to pull on the first thread mainly.

01:59:28
@crertel:matrix.orgcrertel(and yes, I know that the "if you want to report..." does technically exist. never underestimate the ability of users to do the wrong thing when presented with something that isn't a flowchart with blinking lights and monosyllables. I include myself in that population.)02:00:44
@hexa:lossy.networkhexaThere is trade-offs in reporting. We support encrypted reports through GPG and we just won't manage a shared key. We could make more use of the security@ alias for everything else though.02:01:26
@crertel:matrix.orgcrertel

I was thinking of a very specific workflow:

  • Every incoming initial report goes to security@
  • security@ forwards the messages to the currently active team
  • security@ forwards the messages to an archive account (or indeed, perhaps could just be the archive account itself)
  • team reaches back out over normal channels, cc'ing security

I'm not sure how that would interact with the GPG thing, but I'm also not really sure that GPG is as important as a redundant and auditable comms.

02:05:02
@crertel:matrix.orgcrertel("normal channels" here being GPG email or what have you)02:05:39
@hexa:lossy.networkhexaI'm not sure that an audit trail is high on our list of priorities, and we generously cc reports between team members either way02:06:16
@hexa:lossy.networkhexait is how we track whether a thing was actually replied to02:07:20
@crertel:matrix.orgcrertelWasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes it's a manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:13:32
@crertel:matrix.orgcrertel * Wasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes ia manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:13:57
@crertel:matrix.orgcrertel * Wasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes a manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:14:05

Show newer messages

Back to Room ListRoom Version: 6