 | NixOS Reproducible Builds | 539 Members |
| Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30 | 125 Servers |
| NixOS Reproducible Builds | 539 Members |
| Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30 | 125 Servers |
| Sender | Message | Time |
|---|---|---|
| 14 Oct 2021 | ||
 Alyssa Ross | obviously that makes it easier to audit and stuff | 09:41:10 |
| Alyssa Ross | and SBoM stuff as you've described it here sounds like it would be very useful at identifying what needs to be audited | 09:41:32 |
| Alyssa Ross | unfortunately, I'm swamped until the end of the year trying to satisfy existing funding goals before they expire, but one thing I might be able do would be to get in touch with people who're coming to Nix from the SCS side of things, introduce myself and what I'm trying to do, and reassure them that we are interested in this and that I'd be interested in looking for opportunites to collaborate starting next year. | 09:45:11 |
| Alyssa Ross | because you're right that it'd a real shame if Nix was passed over for all this stuff. | 09:45:23 |
 j-k | Exactly. Every time I look at the work done on nix and how long ago this all was started my mind is blown. I'd hate for industry to pop up, recreate everything from scratch, and introduce fatal flaws that nix has already solved | 09:46:49 |
| Alyssa Ross | The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here. | 09:47:09 |
| j-k | In the interest of seeing this move ahead and not get missed in the torrent of messages I'll try summarise some of this in a discorse post | 09:47:52 |
| Alyssa Ross | Yeah, please. | 09:48:00 |
| Alyssa Ross | And we can discuss further in the SLSA channel, which I've now joined. | 09:48:31 |
| j-k | In reply to @qyliss:fairydust.space Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around that would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷 | 09:49:36 |
| j-k | In reply to @qyliss:fairydust.space* Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around nix & runtime would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷 | 09:50:10 |
| Alyssa Ross | I find keeping up with Matrix a real challenge, and keeping up with Discourse basically impossible. If you do see any further conversations I might be able to provide input on, please feel free to get in touch directly on Matrix (or highlight me if it's a Matrix conversation). | 09:51:08 |
| Alyssa Ross | but having a dedicated Matrix channel hepls | 09:51:26 |
| Alyssa Ross | anyway, I need to go out now, but let's talk more once you've made that Discourse post? | 09:51:39 |
| j-k | sounds good 👍️ | 09:53:17 |
 baloo | j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issue | 15:40:23 |
| baloo | * j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issues | 15:40:33 |
| baloo | I think nix is one of the best platform out there to fix those issues, but this is, for sure, the only solution, and other tools needs effort | 15:41:45 |
| baloo | * I think nix is one of the best platform out there to fix those issues, but this is, for sure, not the only solution, and other tools needs effort | 15:42:01 |
| baloo | I did not actually know people reached out :) | 15:42:33 |
| baloo | thanks for pointing them out | 15:42:50 |
| j-k |
I'm aware, as I said I found it funny too but it was also a good opportunity to get into how we improve some of this 😅 how we can show people the work that everyone has done around nix before they started showing an interest in supply chain | 15:43:35 |
| j-k | Yeah it's a bit difficult to keep up with different messages and such. Matrix and Discorse flow so fast and there's a sea of GH issues I'm not sure what we can do to solve that though | 15:44:33 |
| baloo | I think the dedicated matrix room is a good thing | 15:46:08 |
| baloo | maybe ask for dedicated tag on github | 15:46:28 |
| baloo | like the one we have for reproducibility issues | 15:46:50 |
| baloo | quick question, what does SLSA stand for? | 15:47:05 |
| j-k | Supply-chain Levels for Software Artifacts https://slsa.dev/ | 15:47:20 |
| j-k | I'll go over a short explanation of Supply Chain (Security) in the discorse post so it clicks for people where nix already handles some of this | 15:48:13 |
| j-k | Also I've noticed most people are fine with the concept of Pipelines (specifically CI CD pipelines) now but they don't connect that with Supply Chains (e.g. any other supply chain such as food, silicon wafers, etc, Just a long chain of inputs and outputs). I was the same at the beginning but then it clicked | 15:51:20 |