| 19 Jun 2021 |
 Sandro | Why is NixOS/nixops-committers not a real team? | 18:27:20 |
 hexa | not really a security related question, is it? | 18:29:08 |
| Sandro | I wanted to assign them to the PR above | 18:35:52 |
| hexa | talk to one of the project owners then, domen, zimbatm | 18:44:26 |
| 20 Jun 2021 |
 Ekleog | meh, can anyone describe me an actual threat model for shipping an expirated certificate store? | 18:58:09 |
| Ekleog | I mean we definitely shouldn't do it if we can avoid it, but IMO it's not at all worth a knownVulnerabilities | 18:58:34 |
| Ekleog | (haven't investigated this specific case though, just the text in knownVulnerabilities in the PR above) | 18:59:22 |
| Ekleog | and using knownVulnerabilities too often makes people much more used to working around it so IMO unless there's another motivation not listed yet, adding knownVulnerabilities in this specific case would be a net negative for security for NixOS | 19:01:29 |
| Ekleog | (commented on the PR with more details so the conversation is actually logged somewhere) | 19:09:00 |
| hexa | I don't think it's a good to eval at every step whether the mozilla trust store does a revert here and there | 19:12:16 |
| hexa | there won't be any security bulletins about this | 19:12:30 |
| hexa | the abstract threat model would be a reverted certificate gets accepted, because the revert happened between 2019..today | 19:13:14 |
| hexa | * there likely won't be any security bulletins about this | 19:16:23 |
| hexa | * there likely won't be any security bulletins about this, certainly no CVE | 19:16:33 |
| hexa | of course this is not specific to nixops usage, but who knows what uses certifi (via requests) on python2 | 19:17:13 |
| Ekleog | I mean CA breakages that actually are bad get publicity literally all over the place, because like 90% of the world runs off outdated CA bundles (yes the number is straight off my hat :p) | 20:12:46 |
| Ekleog | If your fear is “everything using certifi on python2 could be broken”, one solution might be to have the certifi package be local to nixops so only it could see it?
But it's additional complexity I guess, I just don't think the benefit of maybe protecting someone once from a compromised CA (which is basically already state-level attackers so people who should already do security review way beyond what NixOS can humanly do) is greater than the issue that making people used to working around knownVulnerabilities makes it much less efficient at actually preventing real vulnerabilities in other cases | 20:15:52 |
| Ekleog | IOW: I think that knownVulnerabilities should be used, in cases where there is no known fix to the issue, only be used when the vulnerability can actually be used by criminal-group-level attackers, not only state-level attackers (and yes I know that the groups sometimes overlap, doesn't change much) | 20:17:11 |
| Ekleog | * IOW: I think that knownVulnerabilities should, in cases where there is no known fix to the issue, only be used when the vulnerability can actually be used by criminal-group-level attackers, not only state-level attackers (and yes I know that the groups sometimes overlap, doesn't change much) | 20:17:25 |
| Ekleog | * IOW: I think that knownVulnerabilities should, in cases where there is no known fix to the issue, only be used when the vulnerability can actually reasonably be used by criminal-group-level attackers, not only state-level attackers (and yes I know that the groups sometimes overlap, doesn't change much) | 20:17:51 |
| Sandro | The entire python2 tree is as badly maintained as it gets. No one tests it while bumping and nixops might be broken in other ways. | 21:16:12 |
| hexa | fragattacks patches were introduced in v5.13-rc4 | 22:06:29 |
| hexa | also in v5.12.9 | 22:07:15 |
| hexa | and v5.10.42 | 22:08:37 |
| hexa | and v5.4.124 | 22:09:13 |
| 21 Jun 2021 |
|  emily joined the room. | 00:35:35 |
|  industrialrobot joined the room. | 08:12:49 |
 ajs124 | seems like there was a dovecot + pigeonhole security release just now | 11:50:21 |
 das_j | changelog says:
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access.
* CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client.
| 11:51:49 |
| hexa | ajs124: das_j are you taking care of that? | 13:07:05 |
