Add security page

[crertel]

This PR is to start a discussion and hopefully get us an easy-to-find and short but useful security page.

I don't know what should go in these sections, so I need comment from @fricklerhandwerk @tomberek @NixOS/security and I guess whoever else knows about these things.

My thinking is that if you hit the front page with a question about security that a) there should be something on the navbar right there about security (since, you know, we are trying to take it seriously) and b) clicking on that should take you to a page with clear, actionable instructions to either get you submitting your concern or answering your likely question in short order. This PR gets us in a position to do that.

[crertel]

Prior art:

• What Debian does, linked from their front page
• What Arch does, linked from their navbar
• What OpenSuse does, which took many levels of clicking through non-obvious contribution pages
• What Gentoo does, took a couple of clicks
• What RHEL does, took some clicking
• Lix has an email in their footer.
• What DetSys does, though I think this is more geared at Flakehub.

[crertel]

Do we not have a [email protected] or similar alias?

[LeSuisse]

Hello,

Currently there is a Security link in the footer linking to https://nixos.org/community/teams/security/ providing information to privately report security issue. We get some notifications regularly so this process is already mostly working.

Do we need another page?

Do we not have a [email protected] or similar alias?

A mailing list exists with our 3 emails, I'm however not entirely sure how it is managed.

[mweinelt]

Managed by the infra team.

[crertel]

@LeSuisse:

Do we need another page?

So, this is why I've got the strawman up. I think the team page is good for telling about the team, but in terms of getting people the information or next steps they need to file a report it's kinda rough. The optics are that we in recent memory had at least one large dropped ball, and it'd probably help to make it painfully obvious that we take security seriously and have changed something as we improve our processes from that dropped ball.

It may well be that we just need to change that page and perhaps link to it more prominently; I'm just spitballing here and getting feedback.

@mweinelt:

Managed by the infra team.

So, do we currently have that alias ([email protected]) pointing at that mailing list? If so, does that mailing list include the current security team? If it doesn't, how hard would it be to add them to it--and if they don't want to be added, is there some other thing that would make more sense?

[tomberek]

Conceptually seems reasonable. I'd expect the content should be driven by the Security team as well as deciding if they want this change. It would give them more visibility to communicate issues and for people to communicate with them.