GNU bug report logs - #47823
Hardenize Guix website TLS/DNS

Previous Next

Package: guix;

Reported by: bo0od <bo0od <at> riseup.net>

Date: Fri, 16 Apr 2021 11:01:01 UTC

Severity: normal

Full log

Message #20 received at 47823 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Julien Lepiller <julien <at> lepiller.eu>, Leo Famulari <leo <at> famulari.name>,
 bo0od <bo0od <at> riseup.net>
Cc: 47823 <at> debbugs.gnu.org
Subject: Re: bug#47823: Hardenize Guix website TLS/DNS
Date: Mon, 24 May 2021 23:36:40 +0200

[Message part 1 (text/plain, inline)]
Julien Lepiller <julien <at> lepiller.eu> skriver:

> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo <at> famulari.name> a écrit :
>>On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>> Scanning Guix website gave many missing security features which
>>modern
>>> security needs them to be available:
>>> 
>>> * TLS and DNS:
>>> 
>>> looking at:
>>> 
>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>> 
>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>
>>Thanks!
>>
>>> - DNS: DNSSEC support missing (important)
>>
>>Hm, is it important? My impression is that it's an idea whose time has
>>passed without significant adoption.
>>
>>But maybe we could enable it if the costs are not too great.
>
> gnu.org does not have dnssec, so we'd need them to work on that first.

gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:

  https://github.com/systemd/systemd/issues/9867

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.