| 30 Jul 2021 |
Michael Lieberman | Interesting. I'm not super deep yet on Nix internals. Does SLSA seem like a reasonable standard? It's pretty new and based on Google's internal Binary Authorization standards. I'm a bit cautious on some of the claims the SLSA standard makes because it relies on "trusted control plane" and similar. If so is there any doc or anything I could read up on regarding current Nix security concerns (that aren't confidential) | 22:53:46 |
Sandro | I don't know if it is reasonable but I didn't read to much weird stuff yet. | 23:09:03 |
Sandro | Nix has probably all of the security problems that come with a big open source project where not everyone knows everyone and every part of the code | 23:09:56 |
| 31 Jul 2021 |
Roos |
Dependencies have their own SLSA ratings, and it is possible for a SLSA 4 artifact to be built from SLSA 0 dependencies
Specially this.
| 08:30:08 |
Roos | We may have provenance, build signature and somewhat reproducible builds (arguable), but we're still pulling stuff from unknown sources. | 08:31:07 |
Sandro | Yeah well, we need to get the source from somewhere | 08:33:14 |
Roos | IMHO, SLSA 2 is missing non-repudiability. | 08:33:36 |
Roos | In reply to @sandro:supersandro.de Yeah well, we need to get the source from somewhere Yes. Security-sensitive processes do review source changes before using them, we don't. | 08:34:36 |
disrupt_the_flow | In reply to @linus.heckemann:matrix.mayflower.de The hardened profile breaks things. Don't use it if it break things you need. Yeah I know and I fixed some but this specific one is weird. | 08:35:03 |
Roos | Interesting read, thanks ^^ | 08:36:49 |
Sandro | In reply to @roosemberth:orbstheorem.ch Yes. Security-sensitive processes do review source changes before using them, we don't. I am pretty sure security sensitive processes also try to use as little packages as possible and not literally anything. I think we do it sometimes for core packages but not for every package | 08:37:34 |
Roos | Oh, I didn't know we did source-review! | 08:38:31 |
ris_ | .... depends what you mean by source review .... | 18:51:54 |
ris_ | and what sort of attack scenario we'd be trying to catch by such a review | 18:52:31 |
ris_ | there are few if any packages where we review the (source) diff of every bump | 18:54:20 |
ris_ | and i'm not sure there are any distros that do | 18:54:38 |
ris_ | anything other than an extremely minimal distro trying to do that would get so bound down in molasses that i would imagine any security benefits from "supply chain security" would be outweighed by the slowness of it all. | 18:55:59 |
ris_ | anyway... | 18:56:04 |
ris_ | (was going to go on for some rabbitmq/elixir assistance but i think i've figured it out | 19:15:24 |
ris_ | * (was going to go on for some rabbitmq/elixir assistance but i think i've figured it out) | 19:15:29 |
ris_ | actually it does look like i'll need to call in some rabbitmq help on https://github.com/NixOS/nixpkgs/pull/132242 | 21:46:24 |
Michael Lieberman | In reply to @r_i_s:matrix.org anything other than an extremely minimal distro trying to do that would get so bound down in molasses that i would imagine any security benefits from "supply chain security" would be outweighed by the slowness of it all. I think it’s a balance. Not everything needs to be slsa4. And you can be slsa4 for your source and build but include slsa0 dependencies | 21:54:15 |
ris_ | sure, i can imagine some specialist systems doing it | 21:54:44 |
ris_ | but i'd be pretty surprised if we scored lower than any mainstream distro in slsa | 21:56:13 |
Michael Lieberman | We did something akin to it for something at a place I used to be at. So for core “Crown Jewels” type stuff it was worth while. I wouldn’t use slsa4 for my personal blog project. | 21:56:50 |
Michael Lieberman | The thing I really like that nix gives me is the provenance piece, assuming nix tooling isn’t lying to me, which is a separate question. I know that if I build something I have metadata regarding it’s bill of materials including it’s build environment and I have the same metadata up the chain for everything else.
I have been playing around with getting spdx and cyclonedx spec bill of materials from nix derivation and nix store info. | 22:02:16 |
Michael Lieberman | https://github.com/mlieberman85/nixbom this is what I have spent some free time on. Still needs a bunch more work and can be a bit slow in dumping/querying the nix store | 23:09:15 |
| 1 Aug 2021 |
| Jamie joined the room. | 08:04:15 |
| Jassuko joined the room. | 19:35:29 |
| 3 Aug 2021 |
| chester-tan joined the room. | 02:53:52 |