Call for Security Contributors

Aux is growing and we need to put together a set of contributors responsible for managing security for the project. If you want to help, please reply in this topic with the following information:

Reason: (why do you want to be a part of SIG Security?)
Experience: (examples of past experience maintaining packages)


I’m in…
IT-Sec/ Compliance/ PKI specialist by trade, this is important :wink:


Would you mind creating a security team on github?

The team has been made Sign in to GitHub · GitHub

1 Like

Thanks for the quick reaction :+1:

1 Like

I’d like to help.


I want Aux’s infrastructure (when it comes time to have some :slight_smile: ) to have exemplary security. Distros are a really juicy point of compromise, so I believe the bar should be high, both in preventing compromise but also detection and response if the worst happens.

I would also like to help with patching packages. In Nix, this was an ongoing struggle due to the volume of CVEs to triage, and some structural issues that made scaling via automation harder. The lag for distributing security fixes to foundational packages is also a problem, it takes a scary delay to patch an actively exploited RCE if it’s in a low level derivation. I would like to work with other Aux folks to see if we can solve this. Some things will probably take years to fix and cross-SIG work (for example, giving Aux a mechanism comparable to guix grafts for rapid patching), but in the meantime I can help with triage, patching packages, and ways to automate those and not burn out maintainers.

Experience: I’ve done appsec and infrasec work professionally for several years now, including security design review, writing and reviewing security-critical code, and security incident response (dealing with incoming disclosures, not post-compromise forensics). I’ve maintained some packages in Nix (and Arch AUR before that), and briefly tried helping with Nix security but didn’t have much success (for organizational reasons at the time, several years ago).

Github username is the same as my discourse username.


Sweet, thanks a lot :+1:

I wanna start building a self-signup process for COMSEC, would you mind testing that you can request membership to these 2 groups plz?

Great to read that you got IR knowledge. That will definitely be something helpful along the way - IMO only a matter of time until that’s going to happen :wink:

1 Like

Looks like I’m already a member of both, possibly @isabel added me? I can remove myself and apply if you want to test stuff though.

No need, we had another member doing both successful in the meantime. Thanks for the offer though


We’re moving to use a different process to add new security contributors, which we’ll describe in About the Security Committee category. For now I’m locking this post