| 23 Sep 2022 |
 vcunat | I don't even run any security-sensitive system (with nixpkgs), really. | 18:45:11 |
| vcunat | If we can consistently deploy important fixes within just a few days after the top tier (say, Red Hat), I'll be quite happy and focus on further improving other aspects of Nix*. | 18:52:42 |
 Sandro 🐧 | Do we have some stats to know if we fix issues within 10 days?
Also we don't really track CVEs anywhere and I don't want to dump more issues on our issue graveyard.
We don't have private issue tracker but that could easily done with a private repository.
| 19:09:01 |
 hexa | yes, we do | 19:09:32 |
| Sandro 🐧 | I mean properly | 19:09:54 |
| hexa | from 17 embaroges predisclosures via linux-distros we took longer than than 7 days for 4 of them | 19:10:53 |
| Sandro 🐧 | In reply to @winterqt:nixos.dev
I wonder if we could create a private Hydra jobset, run the jobs on there so the binaries are cached, maybe do ACLs on the binaries on S3 if someone somehow manages to guess the store path, and then assuming there are no intermediate rebuilds required in between this and the embargo lifting... profit? That would destroy the chain of trust. | 19:10:54 |
| hexa | * from 17 embaroged predisclosures via linux-distros we took longer than than 7 days for 4 of them | 19:11:00 |
| hexa | * from 17 embargoed predisclosures via linux-distros we took longer than than 7 days for 4 of them | 19:11:05 |
 Winter (she/her) | in a way that it can't already be destroyed? | 19:11:56 |
| hexa | I think improving the reliability of ofBorg would be a longer hanging fruit than working on private hydra jobsets 🙂 | 19:13:22 |
| Sandro 🐧 | Right now everything is build in the open. With that we would build some binaries privately and then they are just there and you need to trust that they are correct. | 19:13:25 |
| hexa | * I think improving the reliability of ofBorg would be a lower hanging fruit than working on private hydra jobsets 🙂 | 19:13:30 |
| Winter (she/her) | that's also done now | 19:14:08 |
| vcunat | Private hydra instance. | 19:14:45 |
| Sandro 🐧 | and it could get really hairy when you don't want to duplicate the entire cache and later open the logs and binaries after they are no longer embargoed | 19:14:57 |
| Winter (she/her) | In reply to @vcunat:matrix.org
Private hydra instance. I was moreso thinking a private Hydra jobset on our instance. | 19:15:19 |
| vcunat | * Private hydra instance. (I thought that was the suggestion, not private jobset.) | 19:15:22 |
| vcunat | I don't think the SW can do that. | 19:15:43 |
| Sandro 🐧 | hydra has no support for that. Using a separate instance would be less development work and would make it unlikely to disclose information through bugs. | 19:15:56 |
| vcunat | But you can set up a parallel private instance relatively easily, even with the same set of builders backing it up. | 19:16:09 |
| Winter (she/her) | ah yeah that also works (i'd think it would have support for jobsets being viewed only by a few users though, ouch) | 19:16:39 |
| vcunat | * But you can set up a parallel private instance relatively easily, even with the same set of builders backing it up. (though we have this provisioning, so why) | 19:16:48 |
| vcunat | * But you can set up a parallel private instance relatively easily, even with the same set of builders backing it up. (though we have this provisioning, so why even share the machines) | 19:17:01 |
| vcunat | * But you can set up a parallel private instance relatively easily, even with the same set of builders backing it up. (though we have this provisioning, so why even share the builder machines) | 19:17:07 |
| Sandro 🐧 | just make the entire hydra only for people that are allowed to view them. Thats a lot easier and we don't need to worry that new functionality exposes things. | 19:17:31 |
| Winter (she/her) | that's what we're saying, no? | 19:17:59 |
| vcunat | Yes, a new private hydra instance. | 19:18:33 |
| Sandro 🐧 | with S3: we could do something like:
- if the private instance pushes to it, it is restricted
- if the public pushes the same thing to it, then it gets public
- but the public instance would need to be able to access the private paths which should also make them public
| 19:20:03 |
| Sandro 🐧 | or you just don't do any of that and hope people can't enumerate the cache | 19:21:14 |
