| 30 May 2021 |
 kunrooted | I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:
okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages
in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover
| 18:36:03 |
| kunrooted | * I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:
okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages
in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine
| 18:36:19 |
| kunrooted | * I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:
okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
(lol, someone's other msg was in here, haven't noticed that before)
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages
in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine
| 18:38:37 |
 philipp | about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. | 18:38:41 |
 andi- | I also have a few ideas for PoCs on how to demonstrate downsides of our current stuff and what the average NixOS contributor should be aware of... DM me (in a few days/weeks) if you feel like you need more :) | 18:38:44 |
| andi- |
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
| 18:39:07 |
| andi- | *
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
| 18:39:11 |
| kunrooted | In reply to @philipp:xndr.de
about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. you can limit them | 18:39:11 |
| andi- | *
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
| 18:39:16 |
| kunrooted | afaik | 18:39:16 |
| kunrooted | you can make specific users having just write access to just specific things, it's really flexible af | 18:39:37 |
| andi- | You can set noexec on ~ | 18:39:39 |
| kunrooted | In reply to @andi:kack.it
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
it won't be an issue anymore? | 18:39:55 |
| andi- | I vaguely recall someone talking about it months ago | 18:40:10 |
| kunrooted | I was writing a container a while ago and it was mentioned an issue then by some of my collegues | 18:40:14 |
| andi- | perhaps this? https://github.com/NixOS/nixpkgs/pull/67336 | 18:41:05 |
| kunrooted | ah, so it limits a root on the container? | 18:41:36 |
| kunrooted | I think that still not many people might know about this option | 18:42:19 |
| andi- | It wasn't merged yet so who knows what the actual state is :D | 18:42:43 |
| kunrooted | yeah, it's a 'draft', weird | 18:42:53 |
| 31 May 2021 |
|  [0x4A6F] changed their display name from [0x4A6F] to 0x4A6F. | 08:23:41 |
 ris_ | hah. i've heard of squash-merges before but this author squashes their entire releases https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3 | 13:01:19 |
| ris_ | luckily the search_path changes are all i need and they are separable by file | 13:01:56 |
| ris_ | nothing fetchpatch can't handle | 13:02:09 |
| ris_ | still | 13:02:12 |
 Synthetica | why | 13:02:42 |
| Synthetica | why would one do that | 13:02:50 |
|  re-ptarmigan❄️🐦️ changed their display name from reptarmigan to re-ptarmigan❄️🐦️. | 21:56:28 |
| 1 Jun 2021 |
| [0x4A6F] changed their display name from 0x4A6F to [0x4A6F]. | 06:35:18 |
|  tilpner joined the room. | 11:01:44 |
