!tPxtoBdChSsxHuBlNW:nixos.org

NixOS Marketing

260 Members
NixOS website + marketing team: https://nixos.org/community/teams/marketing.html58 Servers

Load older messages

SenderMessageTime
27 Nov 2024
@crertel:matrix.orgcrertel

Hi!

I was redirected here to discuss things. I've made some PRs, some merged, some stalled, some pending, some closed. I'm happy to follow process, but I'd also like to be able to productively use my time and Github issues seems like a perfectly reasonable way of working out in the open (and discoverability for Matrix is suboptimal for discussion and decisonmaking when compared with forge tooling).

The PRs in question I'd like feedback on on pushing forward:

  • https://github.com/NixOS/nixos-homepage/pull/1587 -- This one is about closing 1511, a pretty straightforward request by somebody ( fricklerhandwerk I think?) to start debloating the community page.
  • https://github.com/NixOS/nixos-homepage/pull/1573 -- This one is about trying to figure out how to make security front-and-center on the site as something the NixOS distribution cares about. Currently, it's kinda buried in the community security team page--and working on this has shown that the email alias for security@nixos.org seems to be either busted or have spotty connectivity to the folks on the security team (based on testing). The thing here is that I don't actually know what the security policy should be (though I have guesses) and I'm trying to avoid telling the security folks how to do their job. I was kinda hoping we could workshop the PR and get to a good place with stakeholders (as has happened successfully with, for example, the extensive work on the immich PR).

Thanks!

01:26:00
@hexa:lossy.networkhexaimage.png
Download image.png		01:38:26
@hexa:lossy.networkhexasecurity is already down here01:38:30
@hexa:lossy.networkhexawe already get lots of useful reports01:38:34
@hexa:lossy.networkhexaimplementing well-known security is what is currently missing01:40:16
@hexa:lossy.networkhexahttps://en.wikipedia.org/wiki/Security.txt01:41:03
@hexa:lossy.networkhexahttps://datatracker.ietf.org/doc/html/rfc911601:41:15
@hexa:lossy.networkhexayou kinda went in without a concrete plan01:41:41
@hexa:lossy.networkhexaprior art was linked early on and not acted upon01:42:01
@crertel:matrix.orgcrertelI was asking for a plan, and the information you just gave me--which would've been helpful to have on a comment on that PR--is a big help. Thank you!01:42:05
@crertel:matrix.orgcrertel

There's another philosophical question which is: would it be a good idea to put security right on the navbar? My personal bet is yes, because:

  • there was a semi-high-profile kerfluffle earlier this year and not having an obvious single touchpoint seems to have hurt there.
  • more generally (outside of internal NixOS stuff), one of the hugely useful things about using NixOS is supply chain integrity and other things of interest to security-conscious users.
01:45:33
@hexa:lossy.networkhexa

there was a semi-high-profile kerfluffle earlier this year and not having an obvious single touchpoint seems to have hurt there.

Uh … what?

01:46:31
@hexa:lossy.networkhexaI don't mind whether it is down there or up there, but the start page mentions security a bit too much01:47:15
@hexa:lossy.networkhexaimage.png
Download image.png		01:47:18
@hexa:lossy.networkhexamoving it up would improve the tab order01:47:36
@crertel:matrix.orgcrertelSure, and we could probably stand to ditch a tab or two as well...it is a little busy.01:48:02
@crertel:matrix.orgcrertel(and again, I'm not wed to this, just kicking around an idea)01:48:19
@avocadoom:avocadoom.deavocadoomHmmm, at some point we maybe should consider some kind of drop down menu for the main nav, otherwise this would clog up a lot01:49:01
@crertel:matrix.orgcrertelimage.png
Download image.png		01:49:27
@crertel:matrix.orgcrertelso that's what we have right now01:49:31
@avocadoom:avocadoom.deavocadoomYup01:51:25
@crertel:matrix.orgcrertel
  • download seems important since it's where you get nixos
  • values seems important given the last year...after things settle down maybe it could be moved
  • community...lots of important stuff there but it's all bunched together (and another PR I put out there to answer somebody's idea would split it into yet another tab, teams)
  • blog refers to something that changes...maybe every couple of months?
  • donate is important because money
  • explore...is a whole thing and I'm not sure learn doesn't already encompass it
01:52:07
@crertel:matrix.orgcrerteland like, I know folks put effort into these pages at one time or another, so I don't want to just bulldoze that01:52:29
@crertel:matrix.orgcrertelbut uh, there's some prime real estate that could probably use redevelopment01:52:42
@crertel:matrix.orgcrertel

back to the security thing, my issues with the current team page are basically:

  • it currently reads as "here's information about the security thing", instead of a more directly actionable "if you want to do x, go to y; if you want report z, email w"
  • it currently suggests that private reports should go directly to humans (instead of an email alias), which has the obvious problems of "what happens if the human selected is slow to respond for whatever reason?", "what happens if the second person is slow to respond?", "what record exists outside of their email account that yes, indeed, somebody did report an issue?"
  • having three different places to look for security is suboptimal--security tends not to be partition tolerant, and if I can't find what I need in the first two places why am I going to spend time on a third?

Of these, the easiest fix is the first--the second requires a bit more coordination and the third would be a big change over on the security team I think. So, I was just trying to pull on the first thread mainly.

01:59:28
@crertel:matrix.orgcrertel(and yes, I know that the "if you want to report..." does technically exist. never underestimate the ability of users to do the wrong thing when presented with something that isn't a flowchart with blinking lights and monosyllables. I include myself in that population.)02:00:44
@hexa:lossy.networkhexaThere is trade-offs in reporting. We support encrypted reports through GPG and we just won't manage a shared key. We could make more use of the security@ alias for everything else though.02:01:26
@crertel:matrix.orgcrertel

I was thinking of a very specific workflow:

  • Every incoming initial report goes to security@
  • security@ forwards the messages to the currently active team
  • security@ forwards the messages to an archive account (or indeed, perhaps could just be the archive account itself)
  • team reaches back out over normal channels, cc'ing security

I'm not sure how that would interact with the GPG thing, but I'm also not really sure that GPG is as important as a redundant and auditable comms.

02:05:02
@crertel:matrix.orgcrertel("normal channels" here being GPG email or what have you)02:05:39
@hexa:lossy.networkhexaI'm not sure that an audit trail is high on our list of priorities, and we generously cc reports between team members either way02:06:16

Show newer messages

Back to Room ListRoom Version: 6