| 14 Oct 2021 |
 j-k | And that's ignoring the thousands of dollars that have already gone into PyPI to upgrade their platform and implement TheUpdateFramework practices | 09:10:50 |
| j-k | Why is there interest now? Big high profile breaches month after month | 09:11:21 |
| j-k | 
Download image.png | 09:11:24 |
| j-k |
nice of them to invest that much money in nix wow
That's a funny comment but it's also really painful to read
FYI people involved in the Supply Chain Security part of the CNCF Security TAG and the SLSA framework are actually trying multiple times to reach out to the nix community in Discorse and Matrix but it gets f*ck all traction
One person showed interest and joined the channel to discuss SLSA and where nix as-is destroys requirements and pain points with ease
Jean-Paul in both the Dev and Security channels was asking if it was a good idea to put nixpkgs forward for a potential pro-bono security audit at their employer and again f*ck all interest
Then later on we start wondering, where's the funding, where's the adoption? Why is there a massive wave of interest in Supply Chain but they're building from scratch? Why aren't they learning off the OVER 10 years of work around nix/nixpkgs
| 09:11:50 |
| j-k | 
Download image.png | 09:12:08 |
| j-k | https://matrix.to/#/#nix-slsa:matrix.org | 09:12:28 |
| j-k | https://github.com/slsa-framework/slsa/issues/156#issuecomment-930136723 | 09:13:00 |
| j-k | The nix/nixos project is consistently high in graphs covering activity of opensource projects but even with all this supply chain focus, very little attention is going to nix
It was even in the background in the keynotes. | 09:15:54 |
| j-k | 
Download image.png | 09:15:59 |
 Alyssa Ross | j-k: do you have a link to the discourse discussion? | 09:19:32 |
| Alyssa Ross | sad that I've missed this | 09:19:37 |
| j-k | https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089 | 09:19:54 |
| j-k | It's also been posted about in the matrix twice | 09:20:17 |
| Alyssa Ross | hmm, that seems to be about one very specific aspect of it | 09:21:41 |
| Alyssa Ross | and I think it's one Nix is not particularly well-suited for, because it's too dynamic | 09:27:04 |
| j-k | what is one? SBOM? | 09:27:49 |
| Alyssa Ross | yeah | 09:28:00 |
| j-k | An SBOM (in it's current incarnation) should be a reproducible bill of materials that covers direct dependencies and transitive dependencies. Some also collect the hashes for every file (but I find the benefit of this dubious, just review your git repo).
As I see it SBOM is generally an inferior .drv (especially if you're using something like go2nix which brings all your deps into the nix ecosystem
I have little value for an SBOM for a project alone, I will also want the SBOM of the tooling (e.g. go) and the SBOM for whatever built that etc etc etc turtles all the way down. I'd also want some guarentees the SBOM I have for a go build is the exact one for that actual go build etc
In my estimation nix drvs solve this | 09:33:52 |
| j-k | There's some complexity using something that bundles dependencies such as buildGoModule but you could either generate an SBOM as part of that output or just migrate to a full nix system like gomod2nix | 09:35:02 |
| Alyssa Ross | hmm, right, in that case perhaps I was misunderstanding what it is | 09:35:41 |
| Alyssa Ross | so if I made a list of all the sources required to build my application, including all transitive build and runtime dependencies, that would be an SBoM? | 09:36:34 |
| j-k | yep, the analogy that's common is a list of ingredients on a food packet | 09:37:21 |
| j-k | I've put some initial thoughs in the nix-slsa channel but I'm hoping to do a full review of different SLSA requirements and covering where nix solves them, where nix invalidates the need for them, or where nix might need some extra help | 09:37:50 |
| Alyssa Ross | right, yeah, that sounds like something Nix would be extremely good at | 09:38:11 |
| Alyssa Ross | I'm not sure if you know this, but this sort of stuff is extremely relevant to my work | 09:40:21 |
| Alyssa Ross | https://spectrum-os.org/ | 09:40:34 |
| j-k | IIRC you're working on Spectrum | 09:40:36 |
| j-k | yeah | 09:40:37 |
| Alyssa Ross | one goal is to minimize the amount of code running on the host system | 09:41:05 |
| Alyssa Ross | obviously that makes it easier to audit and stuff | 09:41:10 |
