| 31 Oct 2024 |
 K900 | Which is not the slow part | 16:01:55 |
| K900 | And never was | 16:01:57 |
| K900 | And is in fact very fast | 16:02:01 |
| K900 | Specifically because it does not involve "resolution" | 16:02:09 |
 emily | I think AT:P implies that the actual attacker has to be present at the machine, so I agree that that part is inaccurate too. | 16:02:21 |
 puck | In reply to @emilazy:matrix.org
I think AT:P implies that the actual attacker has to be present at the machine, so I agree that that part is inaccurate too. that'd be AV:P i think | 16:02:41 |
| puck | AT:P just means the system has to be misconfigured | 16:02:49 |
| emily | sigh why do tehy have to use inscrutable acronyms | 16:03:05 |
| emily | * sigh why do they have to use inscrutable acronyms | 16:03:12 |
 .. | are there areas where they need mathematical optimization? | 16:03:26 |
| emily | in any case it's definitely not 1.0 and I hope the CVSS score wasn't just massaged to make it so… | 16:03:29 |
| emily | In reply to @khaleghi:matrix.org
are there areas where they need mathematical optimization? we explicitly don't do any kind of SAT or anything | 16:03:59 |
| emily | unlike almost every other package manager :) | 16:04:05 |
| K900 | In reply to@khaleghi:matrix.org
are there areas where they need mathematical optimization? Not really, no | 16:04:19 |
| K900 | At this point the slowest part of Nix is, by a long shot, the interpreter itself | 16:04:32 |
| K900 | And that needs less fancy maths and more rolling up sleeves and profiling for a week | 16:04:50 |
| puck | In reply to @emilazy:matrix.org
in any case it's definitely not 1.0 and I hope the CVSS score wasn't just massaged to make it so… if i change it to CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N it ends up a 2.4 | 16:04:58 |
| puck | the big issue is this vuln kinda depends on other vulns, and the sandbox isn't really default | 16:06:23 |
| emily | VC:L seems wrong, since the impact is itself to confidentiality (if you, say, rely on the Nix sandbox on a host that has sensitive information but then deploy binaries to separate hosts without that information that nonetheless now have access to data they shouldn't?) | 16:06:35 |
| puck | * the big issue is this vuln kinda depends on other vulns to be properly exploitable, and the sandbox isn't really default | 16:06:41 |
