| 11 Jun 2021 |
 Sandro |
Isn't determining if a system is vulnerable and only upgrading it if necessary (or perhaps only the vulnerable packages if possible) something that people do in practice?
Maybe in some enterprisy environment. I am just riding the latest and greatest on all machines.
| 14:33:58 |
| Sandro | redhats rpm has a feature where you can upgrade all packages that belong into a CVE. Problem with that is when the CVE data is not perfect you might miss something and it also encourages to stay on some stone age old version because we do not have the CVE. | 14:35:10 |
| Sandro | In reply to @henson:matrix.org
Sandro: yeah, it would vary based on how dependent other packages are on the thing being fixed. In my sudo case it was only one package, but I can see it just being more worth it to upgrade everything, especially if your change makes it so you can't fetch from the binary cache. if you are using the stable release such security patches get normally backported and then you should be able to use the binary cache. | 14:36:02 |
| Sandro | but I am personal normally on unstable and for packages on master so upgrading everything is just easier and saves me time. | 14:36:41 |
 ris_ | Henson: you're aware of vulnix aren't you? | 19:42:29 |
| ris_ | also the whole "sniffing patch names for CVE ids" thing is a fairly well trodden path in nix | 19:44:06 |
 hexa | tbh, it's why I don't rely on channels | 19:51:38 |
| hexa | my servers track the nixos-$release branches via niv, and my workstations run from a git checkout of master | 19:52:11 |
| hexa | can always just git log --grep=CVE... | 19:52:23 |
 Henson | ris_: no I'm not aware of vulnix | 20:19:34 |
| * Henson searches for it | 20:19:48 |
| ris_ | it sounds quite a lot like what you're looking for | 20:20:02 |
| Henson | ris_: is it the hacklab vulnix thing, or something else? | 20:20:58 |
| ris_ | https://github.com/flyingcircusio/vulnix | 20:21:22 |
| Henson | ris_: awesome, I'll look into that | 20:21:54 |
| Henson | hexa: have you ever encountered the need to only upgrade parts of your system (like what I described about updating sudo while intentionally keeping the rest of the system at an older NixOS version?) | 20:23:05 |
| hexa | Henson: I use overlays for a few things, yeah | 20:23:33 |
| Henson | hexa: thanks for the suggestion of using niv and the git checkouts. Do you incorporate niv/git into your root user's channels, or import them into the system configuration? | 20:25:38 |
| hexa | Henson: using niv for my servers integrated with morph | 20:25:58 |
| hexa | my workstations have a git checkout at /etc/nixpkgs (whoops) | 20:26:24 |
| hexa | I'll sometimes carry patches on there | 20:27:02 |
| hexa | and then rebuild with -I nixpkgs=/etc/nixpkgs | 20:27:17 |
| Henson | In reply to @hexa:lossy.network
my workstations have a git checkout at /etc/nixpkgs (whoops) what's the (whoops) for? | 20:30:15 |
| hexa | dropping not-config into /etc 😂 | 20:30:31 |
| Henson | ahhh | 20:30:43 |
| Henson | ok hexa , thanks for your suggestions. Thanks ris_ for the vulnix suggestion, I'll look into these options. | 20:31:26 |
| 12 Jun 2021 |
|  tnias joined the room. | 17:19:27 |
|  Cannon joined the room. | 17:32:54 |
| 13 Jun 2021 |
|  CRTified joined the room. | 00:47:49 |
|  aaronchall joined the room. | 04:43:25 |
