| 30 Jul 2021 |
 disrupt_the_flow | Redacted or Malformed Event | 11:44:22 |
| disrupt_the_flow | Redacted or Malformed Event | 11:45:30 |
| disrupt_the_flow | Hello. Anyone using the hardened profile and KDE Wayland? Seems after issuing nixos-rebuild switch an error saying plasma5 attribute doesn't exist in pam.nix pops up. The fuck? | 11:50:50 |
 Linux Hackerman | In reply to @disrupt_the_flow:matrix.org
Hello. Anyone using the hardened profile and KDE Wayland? Seems after issuing nixos-rebuild switch an error saying plasma5 attribute doesn't exist in pam.nix pops up. The fuck? Don't use the hardened profile | 14:03:36 |
| Linux Hackerman | At least not without reading and understanding it fully | 14:03:50 |
| disrupt_the_flow | In reply to @linus.heckemann:matrix.mayflower.de
At least not without reading and understanding it fully I did read it and somewhat understood it. An issue was with the memory allocator. If the allocator wasn't libc nothing worked. Even after reinstalling. Dunno why. Maybe Wayland? Anyway as for the above error idk. | 14:28:42 |
|  @seniorivn:matrix.org joined the room. | 14:30:28 |
| Linux Hackerman | The hardened profile breaks things. Don't use it if it break things you need. | 14:39:22 |
| Linux Hackerman | Sorry, I'm in a bit of a foul mood for unrelated reasons and this probably isn't the best disposition to be helping people in. I'll be off. | 14:40:27 |
 tnias | Especially on a desktop/workstation it is not usable. Would not recommend. | 14:41:14 |
|  philipp changed their profile picture. | 20:21:15 |
 Michael Lieberman | Has anyone taken a look at OpenSSF's new SLSA standard for supply chain security? https://slsa.dev/ Seems like just by its nature Nix hits the highest level for most things. https://slsa.dev/ | 21:00:55 |
 Sandro | Definitely not A | 22:45:29 |
| Sandro | And most of the other could be circumvented but not in the default configuration. Also we could have bad npm packages, too. | 22:46:19 |
| Sandro | But we avoid some attack vectors due to the build sandbox | 22:46:32 |
| Michael Lieberman | Interesting. I'm not super deep yet on Nix internals. Does SLSA seem like a reasonable standard? It's pretty new and based on Google's internal Binary Authorization standards. I'm a bit cautious on some of the claims the SLSA standard makes because it relies on "trusted control plane" and similar. If so is there any doc or anything I could read up on regarding current Nix security concerns (that aren't confidential) | 22:53:46 |
| Sandro | I don't know if it is reasonable but I didn't read to much weird stuff yet. | 23:09:03 |
| Sandro | Nix has probably all of the security problems that come with a big open source project where not everyone knows everyone and every part of the code | 23:09:56 |
| 31 Jul 2021 |
 Roos |
Dependencies have their own SLSA ratings, and it is possible for a SLSA 4 artifact to be built from SLSA 0 dependencies
Specially this.
| 08:30:08 |
| Roos | We may have provenance, build signature and somewhat reproducible builds (arguable), but we're still pulling stuff from unknown sources. | 08:31:07 |
| Sandro | Yeah well, we need to get the source from somewhere | 08:33:14 |
| Roos | IMHO, SLSA 2 is missing non-repudiability. | 08:33:36 |
| Roos | In reply to @sandro:supersandro.de
Yeah well, we need to get the source from somewhere Yes. Security-sensitive processes do review source changes before using them, we don't. | 08:34:36 |
| disrupt_the_flow | In reply to @linus.heckemann:matrix.mayflower.de
The hardened profile breaks things. Don't use it if it break things you need. Yeah I know and I fixed some but this specific one is weird. | 08:35:03 |
| Roos | Interesting read, thanks ^^ | 08:36:49 |
| Sandro | In reply to @roosemberth:orbstheorem.ch
Yes. Security-sensitive processes do review source changes before using them, we don't. I am pretty sure security sensitive processes also try to use as little packages as possible and not literally anything. I think we do it sometimes for core packages but not for every package | 08:37:34 |
| Roos | Oh, I didn't know we did source-review! | 08:38:31 |
 ris_ | .... depends what you mean by source review .... | 18:51:54 |
| ris_ | and what sort of attack scenario we'd be trying to catch by such a review | 18:52:31 |
| ris_ | there are few if any packages where we review the (source) diff of every bump | 18:54:20 |
