Hello, hellekin <[email protected]> skribis:
> My objective with this email is to gather a list of suggestions as to > where to put the effort on your various projects, in order to make it > more convenient for them to choose. I'm willing to gather > security-related bugs that they can look into and fix over a period of > 3 days (obviously not full time), or ideas for useful tools related to > privacy or security. This sounds like a great initiative. For Guix, a bug that we have is that pre-built binaries downloaded from hydra.gnu.org are not cryptographically signed. Note that, unlike most other distros, binaries are not uploaded manually by the package maintainer; instead, the build farm at hydra.gnu.org just builds all the packages using recipes from the Guix repo, and publishes the binaries over HTTP. So the fix is twofold: first Hydra (the software behind hydra.gnu.org) needs to be modified to produce and publish digital signatures; second Guix’s “substituter” (the program that fetches pre-built binaries) needs to actually fetch those signatures and check against them. Ways to do it have been discussed before: http://lists.gnu.org/archive/html/bug-guix/2013-05/msg00087.html http://lists.science.uu.nl/pipermail/nix-dev/2013-May/011200.html I think the task could fit the kind of hackathon you describe. Technically Hydra is written in Perl, and Guix is written in Scheme. Guix is a GNU package; Hydra is not, and Guix is not its only user. It’s unlikely that Guix hackers will be physically present, but hopefully you can find someone on #guix on Freenode! Thanks, Ludo’.
pgpYw3iLXniPx.pgp
Description: PGP signature
