NixOS Reproducible Builds - Public Room Timeline

	NixOS Reproducible Builds	521 Members
	Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30	115 Servers

Load older messages

Sender	Message	Time
14 Oct 2021
Alyssa Ross	And we can discuss further in the SLSA channel, which I've now joined.	09:48:31
j-k	In reply to @qyliss:fairydust.space The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here. Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around that would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷	09:49:36
j-k	In reply to @qyliss:fairydust.space The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here. * Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around nix & runtime would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷	09:50:10
Alyssa Ross	I find keeping up with Matrix a real challenge, and keeping up with Discourse basically impossible. If you do see any further conversations I might be able to provide input on, please feel free to get in touch directly on Matrix (or highlight me if it's a Matrix conversation).	09:51:08
Alyssa Ross	but having a dedicated Matrix channel hepls	09:51:26
Alyssa Ross	anyway, I need to go out now, but let's talk more once you've made that Discourse post?	09:51:39
j-k	sounds good 👍️	09:53:17
baloo	j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issue	15:40:23
baloo	* j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issues	15:40:33
baloo	I think nix is one of the best platform out there to fix those issues, but this is, for sure, the only solution, and other tools needs effort	15:41:45
baloo	* I think nix is one of the best platform out there to fix those issues, but this is, for sure, not the only solution, and other tools needs effort	15:42:01
baloo	I did not actually know people reached out :)	15:42:33
baloo	thanks for pointing them out	15:42:50
j-k	that was just a sarcastic comment I'm aware, as I said I found it funny too but it was also a good opportunity to get into how we improve some of this 😅 how we can show people the work that everyone has done around nix before they started showing an interest in supply chain	15:43:35
j-k	Yeah it's a bit difficult to keep up with different messages and such. Matrix and Discorse flow so fast and there's a sea of GH issues I'm not sure what we can do to solve that though	15:44:33
baloo	I think the dedicated matrix room is a good thing	15:46:08
baloo	maybe ask for dedicated tag on github	15:46:28
baloo	like the one we have for reproducibility issues	15:46:50
baloo	quick question, what does SLSA stand for?	15:47:05
j-k	Supply-chain Levels for Software Artifacts https://slsa.dev/	15:47:20
j-k	I'll go over a short explanation of Supply Chain (Security) in the discorse post so it clicks for people where nix already handles some of this	15:48:13
j-k	Also I've noticed most people are fine with the concept of Pipelines (specifically CI CD pipelines) now but they don't connect that with Supply Chains (e.g. any other supply chain such as food, silicon wafers, etc, Just a long chain of inputs and outputs). I was the same at the beginning but then it clicked	15:51:20
baloo	Those are hard problem to solve, and we can't expect everyone to understand it all. There are also a ton of bad examples out there.	15:56:37
j-k	Yep, they're hard problems to solve but on the other hand I'm finding them even harder to solve without nix 🙃	16:05:17
tomberek	j-k: I’d be happy take those conversations and devote some time.	20:47:08
15 Oct 2021
j-k	For anyone who didn't join the channel but is interested in the post I promised yesterday: https://discourse.nixos.org/t/over-10-million-donated-for-supply-chain-security-an-opertunity-for-growth-and-adoption/15508	10:40:48
toonn	What's the new channel for, how does it differ from this one?	10:51:03
Jamie	sounds like someone's testing whether the channel is reproducible :P	10:53:43
j-k	It's to review how nix can solve supply chain security issues, specifically focused on comparing it against the SLSA framework requirements. It can also help us discuss suggestions to feed back to the SLSA framework for changes. Also it straddles Security and Reproducibility https://matrix.to/#/#nix-slsa:matrix.org And it's there so this channel doesn't get swamped	11:43:50
j-k	ok it finally sent... not sure why it was having issues	11:44:17

Show newer messages

Back to Room ListRoom Version: 6