| 18 Jun 2021 |
 Las | Untested since I don't use connman | 18:39:07 |
 hexa | requested two reviewers that previously did reviews/changes | 19:27:07 |
| 19 Jun 2021 |
|  Cannon joined the room. | 00:19:14 |
|  nf joined the room. | 06:47:24 |
| hexa | crossposting here: https://github.com/NixOS/nixpkgs/pull/127453 | 13:21:53 |
| hexa | reintroducing certifi with a 2019 version isn't a great idea, but it apparently is required for nixops to continue working | 13:22:26 |
| hexa | I insist that it should be marked with knownVulnerablities and added a commit to that end, so that if it should go in, the problem would be glaringly obvious to any user. | 13:23:02 |
| Cannon changed their display name from NixCannon to Cannon. | 15:51:54 |
| Cannon changed their profile picture. | 15:53:06 |
| Cannon left the room. | 16:14:01 |
|  putchar joined the room. | 17:16:08 |
 Sandro | Why is NixOS/nixops-committers not a real team? | 18:27:20 |
| hexa | not really a security related question, is it? | 18:29:08 |
| Sandro | I wanted to assign them to the PR above | 18:35:52 |
| hexa | talk to one of the project owners then, domen, zimbatm | 18:44:26 |
| 20 Jun 2021 |
 Ekleog | meh, can anyone describe me an actual threat model for shipping an expirated certificate store? | 18:58:09 |
| Ekleog | I mean we definitely shouldn't do it if we can avoid it, but IMO it's not at all worth a knownVulnerabilities | 18:58:34 |
| Ekleog | (haven't investigated this specific case though, just the text in knownVulnerabilities in the PR above) | 18:59:22 |
| Ekleog | and using knownVulnerabilities too often makes people much more used to working around it so IMO unless there's another motivation not listed yet, adding knownVulnerabilities in this specific case would be a net negative for security for NixOS | 19:01:29 |
| Ekleog | (commented on the PR with more details so the conversation is actually logged somewhere) | 19:09:00 |
| hexa | I don't think it's a good to eval at every step whether the mozilla trust store does a revert here and there | 19:12:16 |
| hexa | there won't be any security bulletins about this | 19:12:30 |
| hexa | the abstract threat model would be a reverted certificate gets accepted, because the revert happened between 2019..today | 19:13:14 |
| hexa | * there likely won't be any security bulletins about this | 19:16:23 |
| hexa | * there likely won't be any security bulletins about this, certainly no CVE | 19:16:33 |
| hexa | of course this is not specific to nixops usage, but who knows what uses certifi (via requests) on python2 | 19:17:13 |
| Ekleog | I mean CA breakages that actually are bad get publicity literally all over the place, because like 90% of the world runs off outdated CA bundles (yes the number is straight off my hat :p) | 20:12:46 |
| Ekleog | If your fear is “everything using certifi on python2 could be broken”, one solution might be to have the certifi package be local to nixops so only it could see it?
But it's additional complexity I guess, I just don't think the benefit of maybe protecting someone once from a compromised CA (which is basically already state-level attackers so people who should already do security review way beyond what NixOS can humanly do) is greater than the issue that making people used to working around knownVulnerabilities makes it much less efficient at actually preventing real vulnerabilities in other cases | 20:15:52 |
| Ekleog | IOW: I think that knownVulnerabilities should be used, in cases where there is no known fix to the issue, only be used when the vulnerability can actually be used by criminal-group-level attackers, not only state-level attackers (and yes I know that the groups sometimes overlap, doesn't change much) | 20:17:11 |
| Ekleog | * IOW: I think that knownVulnerabilities should, in cases where there is no known fix to the issue, only be used when the vulnerability can actually be used by criminal-group-level attackers, not only state-level attackers (and yes I know that the groups sometimes overlap, doesn't change much) | 20:17:25 |
