[Nix-dev] Secure NixOS

Tue Dec 8 04:02:30 CET 2015

Quoting Arseniy Seroka (2015-12-06 20:29:58)
> Greetings, friends and colleagues.
> 
> This is a joint letter by me and Jonn Mostovoy, co-founders of
> Serokell, regarding the state of security in NixOS and a roadmap of fixing it.
> 
> Hopefully, all of us are using NixOS in our companies, however most of the
> times, NixOS machines are deep within the perimeter and aren't facing wild
> Internet because the reaction time to a newly found vulnerability is very long,
> especially compared with the lag in other distros such as Arch Linux. Also,
> proper update process can be tediously slow.
> 
> When we faced a problem of making systems that are designed to run 24/7 in
> extremely hostile networks, we have decided to take Arch and, well,
> re-implement some ideas from Nix, because it was cheaper and safer
> business-wise.
> 
> Of course, we really want to throw away our pathetic reinvented wheel and just
> use NixOS. But for that, three major things have to be done:
> 1. We have to switch to the model of package updates, implemented by Nicolas
> and widely announced on NixCon;
> 2. Fund a team of itsec professionals who will perform maintenance of nixpkgs;
> 3. Make sure that grsecurity patchsets and other kernel hardening flavors
> (which – ?) are shown to work and integrated into system configuration. Or make
> it easy to apply these patchesets if someone needs them.
> 
> Regarding (1), it's a question of community / individual effort, to which we
> would gladly contribute. Regarding (2) — we think that businesses that use
> NixOS should pool up some resources, make a tender and deal with the itsec
> group who will win thia tender. Again, we are ready to lead the charge here. It
> is worth noting, that NixOS community already has a CVE scraper that, if I
> recall correctly, maps CVEs to packages. (3), of course, is also the question
> of individual / community effort, what's more, undoubtedly most of people who
> run systems that ought to match certain security parameters have already made
> expressions for custom kernels, we just need to generalize most common usecases
> and put those in configuration set.
> 
> If we manage to reach aforementioned goals, from the least secure popular
> distro, NixOS will become the most secure one, which would be a huge win both
> for every single member of Nix community and for marketing.
> 

Hi Arseniy and Jonn,

Here is my view on your proposal.

I think everybody in the community would want to have more/better security
store in NixOS. I also think current size of NixOS community and adoption at
different companies is still not at the level where we can ask for sponsorship
of full time position to take care of security related tasks. But I would love
to be wrong.

While we are not there yet, we are also not far. Currently best would be to
identify smaller areas of Nix/NixOS you want to improve and sponsor somebody to
work on it (or do it yourself). I welcome you to place funds via
bountysource[1] for tickets you wish people to work on.

And the end I see NixOS as a doacracy. If you want something you go do it :)

[1] https://www.bountysource.com/teams/nixos

--
Rok Garbas - http://www.garbas.si
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20151208/f9e664f7/attachment.bin 