| 23 Jul 2021 |
 tnias | newsflash and midori work for me. no obvious issues so far | 20:44:45 |
| 24 Jul 2021 |
 nixinator | In reply to @mlieberman85:matrix.org
Mostly I have some initial thoughts on how to build an SPDX SBOM which I detail here: https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089 and wanted to more or less know if anyone else has explored doing this? Aware of a better approach to solving it? I've seen vulnix and I think following a similar pattern to what they're doing to map derivations to packages. there is some nix code that can calculate licenses of packages, maybe the could be adapted for your needs. As derivations declare everything the need, then it should be possible to create a Software bill of materials, however what is SPDX? | 00:11:39 |
| nixinator | In reply to @mlieberman85:matrix.org
Mostly I have some initial thoughts on how to build an SPDX SBOM which I detail here: https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089 and wanted to more or less know if anyone else has explored doing this? Aware of a better approach to solving it? I've seen vulnix and I think following a similar pattern to what they're doing to map derivations to packages. * there is some nix code that can calculate licenses of packages, maybe the could be adapted for your needs. As derivations declare everything they need, then it should be possible to create a Software bill of materials, however what is SPDX? | 00:11:52 |
 Sandro | Spdx is the standard shorthand | 00:39:06 |
| Sandro | Our variables for licenses should be very close to them | 00:39:18 |
| nixinator | i see...very 'interesting'... | 00:52:51 |
| nixinator | In reply to @mlieberman85:matrix.org
Mostly I have some initial thoughts on how to build an SPDX SBOM which I detail here: https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089 and wanted to more or less know if anyone else has explored doing this? Aware of a better approach to solving it? I've seen vulnix and I think following a similar pattern to what they're doing to map derivations to packages. https://gist.github.com/MatthewCroughan/bd05e78f2e3abc70ab635029ea456d27 , you can thank matt for that... it works well....maybe not exactly what you want but you can get an idea what you can do with a bit of nix lang magic | 00:54:21 |
 Michael Lieberman | I'll be able to take a look later in the weekend, but yeah SPDX is a spec for bill of materials as well as also a standard that fits the spec. Put simply it asks for stuff like name of package, version, license, and then there's a whole load of optional stuff that can be included like URL, checksum of the package, etc. I recognize that a lot of this stuff comes for free in Nix derivations, narinfo, etc., but it's useful to come in and validate from the outside. Especially some stuff like Nix built containers. The SBOM can be used to validate the container contents after the fact. It's something that can also be distributed alongside the container which won't include the derivation info inside the container and the SPDX standard is becoming more adopted.
Thanks for the link though. I'll take a closer look in a couple of days. | 02:50:53 |
| 25 Jul 2021 |
| nixinator | In reply to @mlieberman85:matrix.org
I'll be able to take a look later in the weekend, but yeah SPDX is a spec for bill of materials as well as also a standard that fits the spec. Put simply it asks for stuff like name of package, version, license, and then there's a whole load of optional stuff that can be included like URL, checksum of the package, etc. I recognize that a lot of this stuff comes for free in Nix derivations, narinfo, etc., but it's useful to come in and validate from the outside. Especially some stuff like Nix built containers. The SBOM can be used to validate the container contents after the fact. It's something that can also be distributed alongside the container which won't include the derivation info inside the container and the SPDX standard is becoming more adopted.
Thanks for the link though. I'll take a closer look in a couple of days. super, it maybe be possible to calculate this SBOM after the thing is built, but only if the software is 100% reproducable. Then it's just a matter of hashing the outputs, and create a database of what hashes match what derivations. Aynway, what ever you want to do, nix probably is the closing thing that can do it the world right now. PM me if your interested in things around this. | 16:24:03 |
 ris_ | ugh varnish https://nvd.nist.gov/vuln/detail/CVE-2021-36740 | 18:18:29 |
| ris_ | fixes for 6.0 branch and 6.5 branch | 18:18:51 |
| ris_ | we have 6.0 branch, 6.2 and 6.3 branches | 18:19:04 |
| ris_ | slightly encouraging is how similar the patches are for 6.0 and 6.5 | 18:19:41 |
| ris_ | so patches for 6.2 and 6.3 should be some interpolation of the two | 18:20:28 |
| Sandro | If we don't have the 6.5 branch the maintainer is really active | 18:48:23 |
 @grahamc:nixos.org |
Given Windows 11 has it as a requirement, any operating system which doesn't support it at all can't boot. Not without reconfiguring your BIOS at every reboot, at any rate, which I don't think many people are going to do. Personally I've been running an indev version of 11, and...
anyone have sources to back this up? sounds like unsubstantiated FUD to me
| 19:00:37 |
 hexa | https://www.microsoft.com/en-us/windows/windows-11-specifications | 19:51:20 |
| hexa |
UEFI, Secure Boot capable
| 19:51:28 |
| hexa | *
UEFI, Secure Boot capable
| 19:51:32 |
| hexa | vs https://support.microsoft.com/en-us/windows/windows-10-system-requirements-6d4e9a79-66bf-7950-467c-795cf0386715 | 19:51:43 |
| hexa | * hs ttps://www.microsoft.com/en-us/windows/windows-10-specifications | 19:52:03 |
| hexa | * vs https://www.microsoft.com/en-us/windows/windows-10-specifications | 19:52:11 |
| hexa | so in win10 it was a feature-specific requirement, in win11 it looks to be a requirement | 19:52:51 |
| @grahamc:nixos.org | So, just needs to be capable. Fud then | 20:44:39 |
| nixinator | In reply to @grahamc:nixos.org
So, just needs to be capable. Fud then gotta love the fud........'loveeeee the fuuuuuuuud'. | 22:12:20 |
| 26 Jul 2021 |
|  Dan joined the room. | 02:56:44 |
| hexa | https://www.oracle.com/security-alerts/cpujul2021.html | 17:49:50 |
| hexa | (update mysql >8.0.25) | 17:50:04 |
| hexa | and aspell https://nvd.nist.gov/vuln/detail/CVE-2019-25051 | 17:53:42 |
| 28 Jul 2021 |
 julianst | In reply to @grahamc:nixos.org
Given Windows 11 has it as a requirement, any operating system which doesn't support it at all can't boot. Not without reconfiguring your BIOS at every reboot, at any rate, which I don't think many people are going to do. Personally I've been running an indev version of 11, and...
anyone have sources to back this up? sounds like unsubstantiated FUD to me
I'm not sure where the misinformation comes from. If Windows 11 mandates a TPM 2.0 that has no impact on anyone. It doesn't mean that Secure Boot cannot be disabled anymore | 12:37:34 |
