In reply to @noch3:matrix.org
ryantm: Sandro Yes I only wish/hope there is a thorough audit/analysis of NixOS. It has many theoretical advantages but have they been demonstrated evidentially somehow?

There's currently some interest in using nix for high security environments from orgs such as the CNCF https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089

building containers with nix without a container daemon is very desirable
building all that rootless would be even better, currently pretty doable through nix-portable

a full tree of dependencies is super nice (see the SBOM discourse post above)

nix + trustix is a super interesting project for zero/low trust software supply chains and "software factories", promising for governments, financial orgs, people on the cutting edge of "DevSecOps")

https://software.af.mil/software-factories/
https://www.lockheedmartin.com/en-us/capabilities/space/software-factory.html
https://www.cncf.io/announcements/2021/05/14/cncf-paper-defines-best-practices-for-supply-chain-security/
https://www.youtube.com/watch?v=bC4IbGKV9CY (one of the video calls during writing the CNCF doc, Michael Lieberman from the discourse post I linked was on the call too)

In reply to @j-k:matrix.org

There's currently some interest in using nix for high security environments from orgs such as the CNCF https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089

building containers with nix without a container daemon is very desirable
building all that rootless would be even better, currently pretty doable through nix-portable

a full tree of dependencies is super nice (see the SBOM discourse post above)

nix + trustix is a super interesting project for zero/low trust software supply chains and "software factories", promising for governments, financial orgs, people on the cutting edge of "DevSecOps")

https://software.af.mil/software-factories/
https://www.lockheedmartin.com/en-us/capabilities/space/software-factory.html
https://www.cncf.io/announcements/2021/05/14/cncf-paper-defines-best-practices-for-supply-chain-security/
https://www.youtube.com/watch?v=bC4IbGKV9CY (one of the video calls during writing the CNCF doc, Michael Lieberman from the discourse post I linked was on the call too)

In reply to @disrupt_the_flow:matrix.org
Hello. Any1 using the hardened profile and Wayland? It seems scudo doesn't let shit to run. Like Firefox or telegram-desktop. Changing it to graphene-allocator which works way better? And way the fuck less loc. I think hardened_malloc has 18k and scudo 400k.

In reply to @sushi_dude:matrix.org
https://github.com/NixOS/nixpkgs/issues/100799#issuecomment-728935064

In reply to @mlieberman85:matrix.org
Personally I'm looking at building a tool that can generate SPDX and/or CycloneDX formatted SBOMs based on Nix derivations. I have some thoughts on it but would definitely be interested in bouncing my ideas off of some folks who have more experience in the Nix derivation space.