!tPxtoBdChSsxHuBlNW:nixos.org

NixOS Marketing

260 Members
NixOS website + marketing team: https://nixos.org/community/teams/marketing.html57 Servers

Load older messages

SenderMessageTime
27 Nov 2024
@crertel:matrix.orgcrertel
  • download seems important since it's where you get nixos
  • values seems important given the last year...after things settle down maybe it could be moved
  • community...lots of important stuff there but it's all bunched together (and another PR I put out there to answer somebody's idea would split it into yet another tab, teams)
  • blog refers to something that changes...maybe every couple of months?
  • donate is important because money
  • explore...is a whole thing and I'm not sure learn doesn't already encompass it
01:52:07
@crertel:matrix.orgcrerteland like, I know folks put effort into these pages at one time or another, so I don't want to just bulldoze that01:52:29
@crertel:matrix.orgcrertelbut uh, there's some prime real estate that could probably use redevelopment01:52:42
@crertel:matrix.orgcrertel

back to the security thing, my issues with the current team page are basically:

  • it currently reads as "here's information about the security thing", instead of a more directly actionable "if you want to do x, go to y; if you want report z, email w"
  • it currently suggests that private reports should go directly to humans (instead of an email alias), which has the obvious problems of "what happens if the human selected is slow to respond for whatever reason?", "what happens if the second person is slow to respond?", "what record exists outside of their email account that yes, indeed, somebody did report an issue?"
  • having three different places to look for security is suboptimal--security tends not to be partition tolerant, and if I can't find what I need in the first two places why am I going to spend time on a third?

Of these, the easiest fix is the first--the second requires a bit more coordination and the third would be a big change over on the security team I think. So, I was just trying to pull on the first thread mainly.

01:59:28
@crertel:matrix.orgcrertel(and yes, I know that the "if you want to report..." does technically exist. never underestimate the ability of users to do the wrong thing when presented with something that isn't a flowchart with blinking lights and monosyllables. I include myself in that population.)02:00:44
@hexa:lossy.networkhexaThere is trade-offs in reporting. We support encrypted reports through GPG and we just won't manage a shared key. We could make more use of the security@ alias for everything else though.02:01:26
@crertel:matrix.orgcrertel

I was thinking of a very specific workflow:

  • Every incoming initial report goes to security@
  • security@ forwards the messages to the currently active team
  • security@ forwards the messages to an archive account (or indeed, perhaps could just be the archive account itself)
  • team reaches back out over normal channels, cc'ing security

I'm not sure how that would interact with the GPG thing, but I'm also not really sure that GPG is as important as a redundant and auditable comms.

02:05:02
@crertel:matrix.orgcrertel("normal channels" here being GPG email or what have you)02:05:39
@hexa:lossy.networkhexaI'm not sure that an audit trail is high on our list of priorities, and we generously cc reports between team members either way02:06:16
@hexa:lossy.networkhexait is how we track whether a thing was actually replied to02:07:20
@crertel:matrix.orgcrertelWasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes it's a manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:13:32
@crertel:matrix.orgcrertel * Wasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes ia manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:13:57
@crertel:matrix.orgcrertel * Wasn't one of the things from earlier this year folks not really knowing who was alerted when about 2.24 puckipedia thing? I don't have a lot of visibility into that, but audit logs of emails and touchpoints seem like they would've been helpful there when people were debugging later what went wrong. The thing about manual cc'ing is that it makes a manual process, and any manual process will get goofed up eventually--so, a mailing list or some other automated system would probably help. If I'm understanding you correctly, the biggest issue with a mailing list is the lack of PGP support for encrypted reports? Or did I misunderstand you?02:14:05
@hexa:lossy.networkhexaa list adds complexity, it can be done, but it is not a must02:15:13
@hexa:lossy.networkhexaand if you asked puck she would probably tell you that these issues had nothing to do with the security team02:16:05
@hexa:lossy.networkhexa * and if you asked puck she would probably tell you that these issues had nothing to do with this security team02:16:09
@crertel:matrix.orgcrertel¯\_(ツ)_/¯ everybody sees a different part of the elephant lol02:17:00
@crertel:matrix.orgcrertelAnd then another question...looking at the github, I see a label for "status:wait-for-upstream"...is that for "there's nothing we as packagers can do on this except wait for the package to fix it"?02:17:06
@hexa:lossy.networkhexawe did eventually package schleuder some time ago to look into an encrypted mailing list, but the priorities are just elsewhere right now02:17:19
@hexa:lossy.networkhexayes, means "nothing" we can do downstream02:17:46
@crertel:matrix.orgcrerteland schleuder would be...infra team, not security team, I'm guessing?02:18:08
* @hexa:lossy.networkhexa puts on his infra hat02:18:31
@crertel:matrix.orgcrertellol02:18:44
@crertel:matrix.orgcrertelwhat're the current priorities re: infra? there's the ofborg decommissioning/move out of equinix, right?02:20:10
@hexa:lossy.networkhexareplacing all that we loose at EOY to some degree02:21:34
@hexa:lossy.networkhexaand long-term planning for a more sustainable future02:21:53
@hexa:lossy.networkhexaupgrade hydra for more parallel build capacity02:22:15
@crertel:matrix.orgcrertelwas there any progress/attempt at getting a little more time so y'all don't have to rush around the holidays?02:22:22
@hexa:lossy.networkhexaand get the s3 bucket size and cost under control02:22:38
@crertel:matrix.orgcrertel(doing all this work with Christmas, New Years, and CCC coming up probably sucks and is stressful)02:22:49

Show newer messages

Back to Room ListRoom Version: 6