As per title, unfortunately there are more and more security issues. Please add the security category, if we can have a specific ‘webtop’ category, we sure can have a ‘security’ category and a ‘AI’ category. I believe this ’external’ community has not much interest for webtop (anymore), but more for actuality topics such as AI and security.
1 Like
I think there is definitely a trend here: security researchers are increasingly using AI tools to discover vulnerabilities, so it’s reasonable to expect a higher number of reported CVEs in the future.
At the same time, I’m not sure this automatically creates the need to discuss every security bulletin here. Raising awareness is important, especially for issues affecting the underlying OS and shared components, but every distribution already has its own security advisories and dedicated discussion channels. We should probably avoid duplicating those efforts in the forum.
Regarding categories, I don’t think fragmentation is always beneficial. Our categories are not meant to be generic topic rooms, but rather to reflect how the community collaborates around the project and its ecosystem. For example, the WebTop category exists because WebTop is a NS8 application but also a project on its own, we host its developers here, and users discuss issues directly with them. I think the same reasoning also applies to the NethSecurity category.
While on one hand makes sense, on the other one is a bit a slippery slope.
NS7 was “a distro” (sort of), NS8 is not: it’s an application (longer talk, but bear with me for a second).
NethSec “a distro”, but the implementation of security updates is (as far as I know!) relies completely on Nethesis devs after they rebase OpenWRT packages for the available image or distribution.
So, having security category helps? Maybe.
On one hand a carefully picked selection of news and advisories could be really useful for lazy NS8 adopters, on the other hand a competent and capable sysadmin (even a not-pro at that task) should do due diligence on security advisory (curated and published by the distro mantainer) and patches. While happy to provide hints and best practices, I don’t think that Nethesis support is here to “cosplay sysadmin” for adopters. NS8 is not a distro anymore.
And for nethsec security updates well… they’ll come when developers will release them.
IMO the risk of reporting any vulnerability increase the volume of the contents in this community, but not that helpful to the adopters or the project.
I mean, I’m aware that I was one of the beacons for a security issue, but I tried the best as I could to frame the beacon for the most plainspoken and apt description as possible, with sources.
However, I’d like to emphasize the need for sysadmin-oriented guidelines and best practices into sysadmin (and not developer) documentation for NS8 hosts/nodes.
1 Like
Please let me know which existing topic you should put/move into security category or ai category so we can get it if we actually need it. And I say “existing” not potential.
I think that for topic so cross-cutting like “security” Discourse tags are more useful and consistent
https://community.nethserver.org/tag/security
https://community.nethserver.org/tag/ai
deleted by poster.
18 posts were split to a new topic: What about (security) updates available on the official Rocky repo’s?