We’ve had a bit of discussion how the security team will be organized in the future. @globin is currently laying out a RFC with a detailed description on how it’s gonna be.
But I’d like to draw attention right now. The security team will be reviewing and coordinating security fixes, but we are too few people to fix everything ourselves. So we’re asking each package maintainer and any other person willing to contribute to help out.
What can you do?
Have a look at the security relevant issues at Github: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A"1.severity%3A+security"
Pick some issue you feel comfortable with.
Do some research: is there a newer version available? Has a patch been published? Is the problem relevant for NixOS at all?
Fix the package and submit a pull request -or- comment on the issue that nothing is to be done.
We are currently working on a dashboard-like thingy which will provide a more structured overview. But let’s not wait and start working on security issues right now!