| 31 Oct 2024 |
 K900 | Nix doesn't do dependency resolution | 15:56:07 |
 emily | I believe the CVSS in https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg is inaccurate. "Attack Complexity: High" seems inaccurate as it's trivial to reproduce and can be easily deployed from a random flake. "Confidentiality: Low" also seems untrue since it's precisely about builds being able to read things they shouldn't be able to. it might not be a very impactful vulnerability, but there's no way it's a CVSS 1.0. note that CVSS quantifies impact of the vulnerability if you run into it, not how likely you are to run into it. | 15:58:40 |
 .. | https://www.tweag.io/blog/2022-09-13-nixpkgs-graph/ | 16:01:14 |
| .. | * https://www.tweag.io/blog/2022-09-13-nixpkgs-graph/ K900 | 16:01:31 |
| K900 | That's not dependency resolution | 16:01:35 |
 puck | In reply to @emilazy:matrix.org
I believe the CVSS in https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg is inaccurate. "Attack Complexity: High" seems inaccurate as it's trivial to reproduce and can be easily deployed from a random flake. "Confidentiality: Low" also seems untrue since it's precisely about builds being able to read things they shouldn't be able to. it might not be a very impactful vulnerability, but there's no way it's a CVSS 1.0. note that CVSS quantifies impact of the vulnerability if you run into it, not how likely you are to run into it. i ..think it should probably be UI:N, and AC:L? i also don't think the bug itself would be AT:P | 16:01:46 |
| K900 | That's just computing dependencies between packages | 16:01:50 |
| K900 | Which is not the slow part | 16:01:55 |
