[Nix-dev] Improving security updates

Domen Kožar domen at dev.si
Fri Apr 10 22:07:30 CEST 2015


On Fri, Apr 10, 2015 at 4:03 PM, Christian Theune <ct at flyingcircus.io>
wrote:

> Hi,
>
> On 10 Apr 2015, at 21:52, Domen Kožar <domen at dev.si> wrote:
>
>
> Yup - which translates to: if you're using Gentoo you're rolling your own
> security updates. That's why the adoption is really low.
>
>
> Right. Obviously I’d like to have eat my cake and have it. My gain is a
> support-horizon for a certain “release” that is different/longer than what
> upstream does (i.e. I can make my own choices whether updating really fits
> on my plate in sync with upstream). Wiggle room is nice to have - but we
> have to pay for it, of course.
>
> But: my point was that my experience with the multi-step system is a good
> one. a) noticing which packages have a problem b) marking packages as
> afflicted c) noticing which of those packages are actually in use.
>
> What Gentoo lacked for a while (and this was extremely critical at times)
> was good tooling that keeps the effort low (it was supposedly insane to do
> the work so nobody really volunteered) and the security team was almost
> non-existent at some point. It’s better now but not as good as I’d like it.
>
> Interestingly the hardest part is the “discover which vulnerabilities
> exist and which are important to us” needs to be solved by everyone, and
> apparently, everyone anew.
>
> Everything after that seems trivial to me, but I might be blind. ;)
>


I can fully agree - which basically translates to: once enough companies we
using Nix we can sit down and write this up :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150410/93fb7401/attachment.html 


More information about the nix-dev mailing list