[Nix-dev] Secure NixOS

Arseniy Seroka ars.seroka at gmail.com
Sun Dec 6 20:29:58 CET 2015 

Greetings, friends and colleagues.

This is a joint letter by me and Jonn Mostovoy, co-founders of
Serokell, regarding the state of security in NixOS and a roadmap of fixing
it.

Hopefully, all of us are using NixOS in our companies, however most of the
times, NixOS machines are deep within the perimeter and aren't facing wild
Internet because the reaction time to a newly found vulnerability is very
long,
especially compared with the lag in other distros such as Arch Linux. Also,
proper update process can be tediously slow.

When we faced a problem of making systems that are designed to run 24/7 in
extremely hostile networks, we have decided to take Arch and, well,
re-implement some ideas from Nix, because it was cheaper and safer
business-wise.

Of course, we really want to throw away our pathetic reinvented wheel and
just
use NixOS. But for that, three major things have to be done:
1. We have to switch to the model of package updates, implemented by Nicolas
and widely announced on NixCon;
2. Fund a team of itsec professionals who will perform maintenance of
nixpkgs;
3. Make sure that grsecurity patchsets and other kernel hardening flavors
(which – ?) are shown to work and integrated into system configuration. Or
make
it easy to apply these patchesets if someone needs them.

Regarding (1), it's a question of community / individual effort, to which we
would gladly contribute. Regarding (2) — we think that businesses that use
NixOS should pool up some resources, make a tender and deal with the itsec
group who will win thia tender. Again, we are ready to lead the charge
here. It
is worth noting, that NixOS community already has a CVE scraper that, if I
recall correctly, maps CVEs to packages. (3), of course, is also the
question
of individual / community effort, what's more, undoubtedly most of people
who
run systems that ought to match certain security parameters have already
made
expressions for custom kernels, we just need to generalize most common
usecases
and put those in configuration set.

If we manage to reach aforementioned goals, from the least secure popular
distro, NixOS will become the most secure one, which would be a huge win
both
for every single member of Nix community and for marketing.

--
Kindest regards,
Arseniy and Jonn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20151206/258f707e/attachment.html

More information about the nix-dev mailing list