| 15 Sep 2025 |
 emily | it is not still a thing | 21:41:27 |
| emily | security team should probably weigh in re: the security tracker stuff | 21:42:13 |
 Tristan Ross | I'll forward it to the #security-discuss:nixos.org chat | 21:49:55 |
 Randy Eckenrode | I question its value as it is. I can post my issued in the PR later when I have time. | 22:28:10 |
| Randy Eckenrode | For example, it maps Python packages to the pypi scheme, but it’s not necessarily true that we are providing the same thing that’s on PyPI.
We may apply patches or replace vendored dependencies. IIRC cryptography had a vulnerability in its statically-linked OpenSSL that would be fixed in nixpkgs in by updating or patching OpenSSL.
The other issue is with FOD-based fetchers. There’s no visibility into what Rust crates (fetchCargoVendor) or Node packages (fetchNodeDeps), which actually are (more or less) the unmodified packages.
I assume that would be actually be useful to have, but the problem being solved isn’t well-formulated. It’s just adding a thing someone’s company (presumably) wants.
| 22:34:50 |
| Randy Eckenrode | I want to say that SBOM information should probably be a derivation, but there is still the problem that dependencies are not knowable from Nix. You have to build the package to find out. Also, are build dependencies needed (e.g., to make sure we didn’t use a compiler that inserted malicious code into our package)? | 22:36:22 |
| Tristan Ross | Yeah, the vendoring stuff is kinda odd. Packages would have to have meta information to say whether something is vendored or not. How would you solve the FOD problem? | 22:40:48 |
| Tristan Ross | I think that would depend on whoever wants to consume nixpkgs and have tooling which scans things. | 22:41:17 |
| Randy Eckenrode | If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:43:54 |
| Randy Eckenrode | * If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs can avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:44:42 |
| Tristan Ross | That sounds good, can't really comment on it since idk much about SBOM's and security things. | 22:47:31 |
| Randy Eckenrode | I assume that’s the goal, but I don’t actually know based on the PR’s description. | 22:52:24 |
| Tristan Ross | Yeah, I think it's a decent start at least | 22:52:51 |
| Tristan Ross | At where I work, there's a good change we be needing it so I might be able to work on expanding it after this PR. | 22:54:14 |
| Randy Eckenrode | To simplify down my concern, it’s about maintenance burden. If companies are going to use this for supply chain purposes, are we at risk of getting a bunch of ‘my company’s vulnerability scanner says this package has a CVE’ issues that may actually be fixed in nixpkgs? | 22:54:39 |
| Tristan Ross | I'd like for the CVE stuff to go through review of the security team | 22:55:13 |
| Tristan Ross | Whether that's this or a company trying to upstream a fix. | 22:55:31 |
| 16 Sep 2025 |
 rosssmyth | SBOM stuff is generally falling of companies trying to comply with the EU's CRA. When I read the CRA I don't remember there being specific requirements for the SBOM, but once EU states start implementing it there might be. | 16:08:28 |
| rosssmyth | * SBOM stuff is generally falling out of of companies trying to comply with the EU's CRA. When I read the CRA I don't remember there being specific requirements for the SBOM, but once EU states start implementing it there might be. | 16:11:31 |
 Alyssa Ross | SBOM was actually mostly driven by USG after Solarwinds, as I recall… | 16:11:38 |
| rosssmyth | I see, I don't interact with that space so I wouldn't know. | 16:12:42 |
| Alyssa Ross | I don't either, I just know that I'd heard of SBOMs long before I'd heard of the CRA, and been asked for one for the first time before the CRA was even proposed. | 16:13:06 |
| 22 Sep 2025 |
 Philip Taron (UTC-8) | For https://github.com/NixOS/nixpkgs/issues/444721, I don't believe that there's anything to report under stdenv. | 18:38:33 |
| Tristan Ross | Yeah, we're good for now I believe | 18:46:48 |
| 23 Sep 2025 |
|  kenji changed their display name from a-kenji to kenji. | 10:42:49 |
| 30 Sep 2025 |
 dish [Fox/It/She] | Howdy stdenv folks. Progress on the minimal-bootstrap is going okay, but I'm hitting an error(which I'm pretty sure is the same one that the current minimal bootstrap hits) and I'm having issues getting it solved. Current branch with all of my work is https://github.com/pyrox0/nixpkgs/tree/bump/minimal-bootstrap , any help or suggestions on how to resolve this would be helpful. I'll post the tail of my build logs here in a second so that you can see the logs too. | 15:21:07 |
| dish [Fox/It/She] | Download gcc-4.6.4.log | 15:23:25 |
| dish [Fox/It/She] | the issue is on line 103 of the log | 15:23:37 |
|  17lifers (at mikuplushfarm) joined the room. | 16:05:33 |
| 17lifers (at mikuplushfarm) left the room. | 18:41:39 |
