NixOS Reproducible Builds - Public Room Timeline

	NixOS Reproducible Builds	533 Members
	Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30	119 Servers

Load older messages

Sender	Message	Time
14 Oct 2021
Alyssa Ross	I'm not sure if you know this, but this sort of stuff is extremely relevant to my work	09:40:21
Alyssa Ross	https://spectrum-os.org/	09:40:34
j-k	IIRC you're working on Spectrum	09:40:36
j-k	yeah	09:40:37
Alyssa Ross	one goal is to minimize the amount of code running on the host system	09:41:05
Alyssa Ross	obviously that makes it easier to audit and stuff	09:41:10
Alyssa Ross	and SBoM stuff as you've described it here sounds like it would be very useful at identifying what needs to be audited	09:41:32
Alyssa Ross	unfortunately, I'm swamped until the end of the year trying to satisfy existing funding goals before they expire, but one thing I might be able do would be to get in touch with people who're coming to Nix from the SCS side of things, introduce myself and what I'm trying to do, and reassure them that we are interested in this and that I'd be interested in looking for opportunites to collaborate starting next year.	09:45:11
Alyssa Ross	because you're right that it'd a real shame if Nix was passed over for all this stuff.	09:45:23
j-k	Exactly. Every time I look at the work done on nix and how long ago this all was started my mind is blown. I'd hate for industry to pop up, recreate everything from scratch, and introduce fatal flaws that nix has already solved	09:46:49
Alyssa Ross	The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here.	09:47:09
j-k	In the interest of seeing this move ahead and not get missed in the torrent of messages I'll try summarise some of this in a discorse post	09:47:52
Alyssa Ross	Yeah, please.	09:48:00
Alyssa Ross	And we can discuss further in the SLSA channel, which I've now joined.	09:48:31
j-k	In reply to @qyliss:fairydust.space The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here. Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around that would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷	09:49:36
j-k	In reply to @qyliss:fairydust.space The reason I said I didn't think Nix was well suited before, btw, is that with Nix it's basically impossible to figure out which code is actually being used at runtime. Of course that doesn't really matter, when any build dependency could have compromised that code, but my experience before has been that people don't care about build deps. Glad to hear that's not the case here. * Yeah I've not looked too much into the runtime aspect. I've had my colleagues complain they can't use nix on fedora with SELinux on 🙃 Your insight around nix & runtime would be amazing There is some work around keylime and validating SBOMs/Provenance at the kernel level before code runs so that might also help 🤷	09:50:10
Alyssa Ross	I find keeping up with Matrix a real challenge, and keeping up with Discourse basically impossible. If you do see any further conversations I might be able to provide input on, please feel free to get in touch directly on Matrix (or highlight me if it's a Matrix conversation).	09:51:08
Alyssa Ross	but having a dedicated Matrix channel hepls	09:51:26
Alyssa Ross	anyway, I need to go out now, but let's talk more once you've made that Discourse post?	09:51:39
j-k	sounds good 👍️	09:53:17
baloo	j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issue	15:40:23
baloo	* j-k: that was just a sarcastic comment, I do not know what your involvement in openssf. But I appreciate any effort toward fixing those issues	15:40:33
baloo	I think nix is one of the best platform out there to fix those issues, but this is, for sure, the only solution, and other tools needs effort	15:41:45
baloo	* I think nix is one of the best platform out there to fix those issues, but this is, for sure, not the only solution, and other tools needs effort	15:42:01
baloo	I did not actually know people reached out :)	15:42:33
baloo	thanks for pointing them out	15:42:50
j-k	that was just a sarcastic comment I'm aware, as I said I found it funny too but it was also a good opportunity to get into how we improve some of this 😅 how we can show people the work that everyone has done around nix before they started showing an interest in supply chain	15:43:35
j-k	Yeah it's a bit difficult to keep up with different messages and such. Matrix and Discorse flow so fast and there's a sea of GH issues I'm not sure what we can do to solve that though	15:44:33
baloo	I think the dedicated matrix room is a good thing	15:46:08
baloo	maybe ask for dedicated tag on github	15:46:28

Show newer messages

Back to Room ListRoom Version: 6