Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

2021-03-17 Thread zimoun 
Hi,

On Wed, 17 Mar 2021 at 07:24, Léo Le Bouter  wrote:

> I think we can handle this without granting us any special powers, I
> like it that we don't have roles actually!
>
> We can discuss, debate, agree to common goals, I don't think we are
> going to enter into conflict, we hear each other, we communicate, I
> think that's a really good thing in GNU Guix :-D
>
> Lots of other communities enter into conflict fast and stop
> communicating, GNU Guix is not that, there's a spirit of goodwill of
> everyone and that's really pleasing to live as a contributor and user.

I agree and am aligned with these words. (Without saying there is de
facto hats. :-))

The downside is that sometimes things are stalling.  Examples:
core-updates unmerged since ~10 months, patches that fall in the crack,
old bugs never closed, etc. Pick any non fun stuff. :-)

Hard topic about collective work in general: is it possible to scale
with only implicit hats and no explicit ones? :-)  Hat meaning feel in
charge and do the job to make it happen.


Cheers,
simon

Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

2021-03-17 Thread Léo Le Bouter 
On Tue, 2021-03-16 at 22:46 +0100, Bengt Richter wrote:
> I would feel better about running guix on my laptop if I
> knew all you developers had gotten together and elected
> a "security czar" who is the most competent of you to monitor
> security and also cares the most, and had the power to prevent
> applying unreviewed patches, and making sure all CVEs are taken
> care of, and kitchen doors not left open the way we did in the '50s.
> 
> Sorry if it sounds like I think guix security is lax.
> Please convince me it's not so ;)
> 
> Thanks, nevertheless, for all the great technical work!
> 
> Just wish I could type
> guix --what-and-who-am-I-trusting-q --full-report
> and get a complete list, with batting averages of the
> developers (regressions vs fixes), packages (estimated
> number of times executed without problem, dangerous bugs
> in development history, etc).
> 
> 
> 

I think we can handle this without granting us any special powers, I
like it that we don't have roles actually!

We can discuss, debate, agree to common goals, I don't think we are
going to enter into conflict, we hear each other, we communicate, I
think that's a really good thing in GNU Guix :-D

Lots of other communities enter into conflict fast and stop
communicating, GNU Guix is not that, there's a spirit of goodwill of
everyone and that's really pleasing to live as a contributor and user.


signature.asc
Description: This is a digitally signed message part

Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

2021-03-16 Thread Leo Famulari 
On Tue, Mar 16, 2021 at 10:46:11PM +0100, Bengt Richter wrote:
> Just wish I could type
> guix --what-and-who-am-I-trusting-q --full-report
> and get a complete list, with batting averages of the
> developers (regressions vs fixes), packages (estimated
> number of times executed without problem, dangerous bugs
> in development history, etc).

Leaving aside the rest of your suggestion, which has merit, I strongly
object to ranking Guix contributors in that way. Most of us feel bad
enough about our mistakes without some kind of public scoreboard.

In general, as the person who was the de facto security team leader for
several years, I feel that such a position should be supported in a
material way.

Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?

2021-03-16 Thread Bengt Richter 
Hi all,

On +2021-03-16 15:29:43 -0400, Leo Famulari wrote:
> On Tue, Mar 16, 2021 at 08:25:50PM +0100, zimoun wrote:
> > Hi,
> > 
> > On Tue, 16 Mar 2021 at 20:18, Leo Famulari  wrote:
> > > On Tue, Mar 16, 2021 at 07:19:53PM +0100, zimoun wrote:
> > > > I guess that it will not build for i686.  Does it?
> > >
> > > I don't know. Either we will find out when building on CI, or people can
> > > test it manually now.
> > 
> > Please try out the patch from:
> > 
> > 
> > 
> > and if it works for you, please apply it.
> 
> No, sorry :) Someone else (maybe an i686 user?) will have to find the
> time to test it.
> 

I would feel better about running guix on my laptop if I
knew all you developers had gotten together and elected
a "security czar" who is the most competent of you to monitor
security and also cares the most, and had the power to prevent
applying unreviewed patches, and making sure all CVEs are taken
care of, and kitchen doors not left open the way we did in the '50s.

Sorry if it sounds like I think guix security is lax.
Please convince me it's not so ;)

Thanks, nevertheless, for all the great technical work!

Just wish I could type
guix --what-and-who-am-I-trusting-q --full-report
and get a complete list, with batting averages of the
developers (regressions vs fixes), packages (estimated
number of times executed without problem, dangerous bugs
in development history, etc).



-- 
Regards,
Bengt Richter