 | NixOS Security Triage | 695 Members |
| Coordination and triage of security issues in nixpkgs | 217 Servers |
| NixOS Security Triage | 695 Members |
| Coordination and triage of security issues in nixpkgs | 217 Servers |
| Sender | Message | Time |
|---|---|---|
| 11 Jun 2021 | ||
 Sandro | nope | 12:27:15 |
| Sandro | * not at all | 12:27:20 |
| Sandro | I don't think we have anything to know if any stale package are used. You probably just want to upgrade everything and then garbage collect | 12:27:48 |
| Sandro | if the store path is still there then figure out what uses it | 12:28:00 |
 Henson | Sandro: ok | 12:30:59 |
| Henson | but say you've got a bunch of NixOS computers in production and you want to determine if they're vulnerable and only upgrade them if necessary, or perhaps only upgrade the vulnerable packages. I had a server that was used by people that was vulnerable to the sudo bug, but for certain reasons I couldn't upgrade the entire computer, so I did an overlay with just the sudo fix in it. I feel like there should be a way to do a security audit on a system to determine if it's vulnerable other than upgrading every package. I don't feel like this is an academic question, is it? Isn't determining if a system is vulnerable and only upgrading it if necessary (or perhaps only the vulnerable packages if possible) something that people do in practice? | 14:18:48 |
 andi- | Regarding the fix: use the git version that your channel is on. Same story as with random version suffixes: you still have to make a lookup to see in which one it is. | 14:22:18 |
| Sandro |
Add a overlay with the change and rebuild a few hundred packages. | 14:30:27 |
| Sandro |
One of the problems is that the data on vurnabilities is from time to time not that great. I think ImageMagick is a good example where CVEs regularly have wrong version ranges. | 14:32:33 |
| Henson | Sandro: yeah, it would vary based on how dependent other packages are on the thing being fixed. In my sudo case it was only one package, but I can see it just being more worth it to upgrade everything, especially if your change makes it so you can't fetch from the binary cache. | 14:33:09 |
| Sandro |
Maybe in some enterprisy environment. I am just riding the latest and greatest on all machines. | 14:33:58 |
| Sandro | redhats rpm has a feature where you can upgrade all packages that belong into a CVE. Problem with that is when the CVE data is not perfect you might miss something and it also encourages to stay on some stone age old version because we do not have the CVE. | 14:35:10 |
| Sandro | In reply to @henson:matrix.orgif you are using the stable release such security patches get normally backported and then you should be able to use the binary cache. | 14:36:02 |
| Sandro | but I am personal normally on unstable and for packages on master so upgrading everything is just easier and saves me time. | 14:36:41 |
 ris_ | Henson: you're aware of vulnix aren't you? | 19:42:29 |
| ris_ | also the whole "sniffing patch names for CVE ids" thing is a fairly well trodden path in nix | 19:44:06 |
 hexa | tbh, it's why I don't rely on channels | 19:51:38 |
| hexa | my servers track the nixos-$release branches via niv, and my workstations run from a git checkout of master | 19:52:11 |
| hexa | can always just git log --grep=CVE... | 19:52:23 |
| Henson | ris_: no I'm not aware of vulnix | 20:19:34 |
| * Henson searches for it | 20:19:48 | |
| ris_ | it sounds quite a lot like what you're looking for | 20:20:02 |
| Henson | ris_: is it the hacklab vulnix thing, or something else? | 20:20:58 |
| ris_ | https://github.com/flyingcircusio/vulnix | 20:21:22 |
| Henson | ris_: awesome, I'll look into that | 20:21:54 |
| Henson | hexa: have you ever encountered the need to only upgrade parts of your system (like what I described about updating sudo while intentionally keeping the rest of the system at an older NixOS version?) | 20:23:05 |
| hexa | Henson: I use overlays for a few things, yeah | 20:23:33 |
| Henson | hexa: thanks for the suggestion of using niv and the git checkouts. Do you incorporate niv/git into your root user's channels, or import them into the system configuration? | 20:25:38 |
| hexa | Henson: using niv for my servers integrated with morph | 20:25:58 |
| hexa | my workstations have a git checkout at /etc/nixpkgs (whoops) | 20:26:24 |