[Nix-dev] Secure NixOS
Jonn Mostovoy
jm at memorici.de
Tue Dec 8 03:53:45 CET 2015
Coincidentally, Jonathan Fischoff (@jfischoff) is talking about
hardening concerns on twitter, he points out that there is already
discussion and work regarding that —
https://github.com/NixOS/nixpkgs/issues/7220
—
Kindest regards,
¬Σ
On Mon, Dec 7, 2015 at 4:12 PM, <phreedom at yandex.ru> wrote:
> On Monday, December 07, 2015 11:14:14 zimbatm wrote:
>
>> (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet
>
>> to gather that kind of funding. Also it means going into politics for
>
>> example to decide which set of packages are security-supported. That being
>
>> said, we could go a long way towards point 2 by having the scraper notify
>
>> the package maintainer by email. Having people scan the CVEs is redundant
>
>> and should be automated away. Personally I know that if I got an email I
>
>> would probably package the new version the same day.
>
>
>
> We already had an equivalent. Although it's currently down, I will hopefully
> resurrect it soon. You could add yourself to the maintainer list of the set
> of packages you're interested in, and get an RSS feed from the automated CVE
> matching service. Also, you have to realise that CVE matching is very
> imprecise, and to get very little(but still not zero) false negatives, you
> have to live with a rather large number of false positives.
>
>
>
> -- Evgeny
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
More information about the nix-dev
mailing list