| 20 Mar 2026 |
 niklaskorz | https://github.com/NixOS/nixpkgs/pull/501606 | 11:57:19 |
 emily | uh, going by that blog post maybe we should just be slapping knownVulnerabilities on this thing or removing it... | 12:03:08 |
| emily | I guess if there's no known compromise in the previous version... | 12:04:25 |
 blitz | at least the knownVulnerabilites would be good to warn people that this thing is f***ed | 16:04:34 |
| blitz | * | 16:04:39 |
 曜日 | @delroth:delroth.net — Greetings, do forgive the intrusion.
There is a line from your security wishlist that has stayed with me — that Hydra attestation was dependent on other projects to actually be useful. One of those projects may now exist.
The first is already built. https://github.com/eouzoe/Apeiron
Apeiron is a deterministic execution fabric — builds run inside Firecracker microVMs,
defined by Nix-hermetic closures. The build environment is sealed.
Every output is a cryptographic consequence of its inputs, and nothing else.
The question of whether the environment itself was clean is a different problem.
That is what comes next.
An observer at the kernel layer — eBPF LSM inside the boundary, watching at syscall level as execution happens. Signing takes place outside the hypervisor. A compromised guest cannot revise what the kernel recorded. The design is complete. What remains is building it.
If any of this is of interest, I would welcome a conversation. | 17:36:44 |
| 曜日 set a profile picture. | 17:37:26 |
 vcunat | expat: https://github.com/NixOS/nixpkgs/pull/501685 | 17:41:39 |
 raitobezarius | you should DM delroth directly, he's not involved in the NixOS project anymore | 17:43:02 |
| raitobezarius | (also discussions not here) | 17:43:10 |
| 曜日 | My apologies for the confusion. I had only meant to share the project here — though I came across a wishlist that seemed to align rather closely with what it does, and one thing led to another. | 17:54:20 |
| 曜日 | Apologies — should I take this to #security:nixos.org instead? | 17:55:05 |
| 曜日 | * Apologies — should I take this to #security-discuss:nixos.org instead? | 17:55:17 |
 ElvishJerricco | https://github.com/NixOS/nixpkgs/pull/501701 fixing a vuln in https://github.com/NixOS/nixpkgs/pull/493445 that is presently on master | 18:38:59 |
| ElvishJerricco | need to make sure it doesn't hit unstable. It's already on unstable-small | 18:40:19 |
 dotlambda | not sure what to do about https://github.com/NixOS/nixpkgs/issues/500142 on 25.11 | 18:43:45 |
| dotlambda | https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 doesn't apply cleanly | 18:44:18 |
| ElvishJerricco | K900, vcunat: do we need to cancel an unstable eval or anything like that to keep this from hitting unstable? I suspect it impacts a significant portion of boot.initrd.secrets users. | 19:10:05 |
| vcunat | Since the tested job passed, cancelling the rest would make it advance immediately. | 19:11:42 |
| vcunat | And it's in unstable-small channel, too. | 19:12:14 |
| ElvishJerricco | So we'll have to just merge and wait for it to reach unstable in a few days? Do we need to issue an advisory then? | 19:14:01 |
| vcunat | unstable-small can get it within a couple hours. | 19:14:54 |
 lennart | not meaning to be rude, but I have highlight on for every message in this channel. I guess lots of others of us 670+ people do so aswell, can you switch over to #security-discuss:nixos.org? | 19:15:33 |
| emily | (I don't think a highlight on every message in here is a good idea, it's not an advisory notification channel, triage has to happen in the triage room even if not extended discussions…) | 19:16:56 |
| emily | (& many many vulnerabilities never come up in here at all 😅) | 19:17:31 |
| lennart | ah sorry, that wasn't clear to me. | 19:17:36 |
| lennart | I vaguely remember that I had this before, sorry, gonna turn of the notifications :D | 19:48:31 |
| 21 Mar 2026 |
| vcunat | Noone has reacted the initrd secrets problem apparently? I think it wouldn't be too hard to prevent nixos-unstable from updating, but should we? Also if it's bad, we need to merge quickly to fix nixos-unstable-small. | 06:16:30 |
 K900 | We should | 06:16:46 |
| K900 | It's stupid | 06:16:51 |
