| 9 Sep 2025 |
|  ShamrockLee (Yueh-Shun Li) joined the room. | 05:45:38 |
| 10 Sep 2025 |
|  SomeoneSerge (back on matrix) changed their display name from SomeoneSerge (@nixcon & back on matrix) to SomeoneSerge (back on matrix). | 00:38:37 |
|  connor (burnt/out) (UTC-8) changed their display name from connor (he/him) (UTC+2) to connor (he/him) (UTC-7). | 22:20:29 |
| 11 Sep 2025 |
|  @ihar.hrachyshka:matrix.org joined the room. | 00:08:11 |
| 12 Sep 2025 |
|  Theo Paris left the room. | 01:43:08 |
| 13 Sep 2025 |
|  Lun joined the room. | 16:39:43 |
| 14 Sep 2025 |
|  @emma:rory.gay joined the room. | 08:40:01 |
 ris_ | https://github.com/NixOS/nixpkgs/pull/442945 | 16:47:53 |
 emily | I wonder how this will interact with Darwin / system libc++ | 17:21:54 |
| 15 Sep 2025 |
 Tristan Ross | Would be nice to have others chime in https://github.com/NixOS/nixpkgs/pull/421125 | 18:36:35 |
 Randy Eckenrode | Is this something that the Nixpkgs Architecture team should weigh in on supporting? | 21:36:02 |
| Randy Eckenrode | (Is that even still a thing?) | 21:36:15 |
| Randy Eckenrode | * | 21:36:23 |
| emily | it is not still a thing | 21:41:27 |
| emily | security team should probably weigh in re: the security tracker stuff | 21:42:13 |
| Tristan Ross | I'll forward it to the #security-discuss:nixos.org chat | 21:49:55 |
| Randy Eckenrode | I question its value as it is. I can post my issued in the PR later when I have time. | 22:28:10 |
| Randy Eckenrode | For example, it maps Python packages to the pypi scheme, but it’s not necessarily true that we are providing the same thing that’s on PyPI.
We may apply patches or replace vendored dependencies. IIRC cryptography had a vulnerability in its statically-linked OpenSSL that would be fixed in nixpkgs in by updating or patching OpenSSL.
The other issue is with FOD-based fetchers. There’s no visibility into what Rust crates (fetchCargoVendor) or Node packages (fetchNodeDeps), which actually are (more or less) the unmodified packages.
I assume that would be actually be useful to have, but the problem being solved isn’t well-formulated. It’s just adding a thing someone’s company (presumably) wants.
| 22:34:50 |
| Randy Eckenrode | I want to say that SBOM information should probably be a derivation, but there is still the problem that dependencies are not knowable from Nix. You have to build the package to find out. Also, are build dependencies needed (e.g., to make sure we didn’t use a compiler that inserted malicious code into our package)? | 22:36:22 |
| Tristan Ross | Yeah, the vendoring stuff is kinda odd. Packages would have to have meta information to say whether something is vendored or not. How would you solve the FOD problem? | 22:40:48 |
| Tristan Ross | I think that would depend on whoever wants to consume nixpkgs and have tooling which scans things. | 22:41:17 |
| Randy Eckenrode | If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:43:54 |
| Randy Eckenrode | * If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs can avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:44:42 |
| Tristan Ross | That sounds good, can't really comment on it since idk much about SBOM's and security things. | 22:47:31 |
| Randy Eckenrode | I assume that’s the goal, but I don’t actually know based on the PR’s description. | 22:52:24 |
| Tristan Ross | Yeah, I think it's a decent start at least | 22:52:51 |
| Tristan Ross | At where I work, there's a good change we be needing it so I might be able to work on expanding it after this PR. | 22:54:14 |
| Randy Eckenrode | To simplify down my concern, it’s about maintenance burden. If companies are going to use this for supply chain purposes, are we at risk of getting a bunch of ‘my company’s vulnerability scanner says this package has a CVE’ issues that may actually be fixed in nixpkgs? | 22:54:39 |
| Tristan Ross | I'd like for the CVE stuff to go through review of the security team | 22:55:13 |
| Tristan Ross | Whether that's this or a company trying to upstream a fix. | 22:55:31 |
