 | NixOS Security Triage | 748 Members |
| Coordination and triage of security issues in nixpkgs | 230 Servers |
| NixOS Security Triage | 748 Members |
| Coordination and triage of security issues in nixpkgs | 230 Servers |
| Sender | Message | Time |
|---|---|---|
| 23 Jul 2021 | ||
 Samæ | TBH, I don't really get how that program works, and what I should and should not expect ^^' | 09:03:01 |
 das_j | In reply to @m:marvid.frI think that was the one, yeah | 10:28:02 |
 Sandro | Is there a vulnix list for false positives? | 10:33:01 |
 Linux Hackerman | Sandro: https://github.com/ckauhaus/nixos-vulnerability-roundup/tree/master/whitelists | 10:33:32 |
| Sandro | Thank you very much | 10:40:47 |
 Michael Lieberman | In reply to @nixinator:nixos.devMostly I have some initial thoughts on how to build an SPDX SBOM which I detail here: https://discourse.nixos.org/t/generating-software-bill-of-materials-from-derivation/14089 and wanted to more or less know if anyone else has explored doing this? Aware of a better approach to solving it? I've seen vulnix and I think following a similar pattern to what they're doing to map derivations to packages. | 15:39:11 |
 tnias | https://webkitgtk.org/security/WSA-2021-0004.html | 16:05:14 |
| tnias | In reply to @tnias:stratum0.org I created a PR. Unfortunately building it locally is quiet slow. It is still compiling... https://github.com/NixOS/nixpkgs/pull/131266 | 19:04:12 |
 ajs124 | tnias: what are you trying to build? just webkitgtk or everything that depends on it? | 20:04:42 |
| tnias | ajs124: I just finished building webkitgtk. But I am trying to run a nixos-rebuild for my current system to see if any obvious things broke. | 20:06:12 |
 hexa | just build midori or some other low-end browser depending on it | 20:40:15 |
| tnias | newsflash and midori work for me. no obvious issues so far | 20:44:45 |
| 24 Jul 2021 | ||
 nixinator | In reply to @mlieberman85:matrix.orgthere is some nix code that can calculate licenses of packages, maybe the could be adapted for your needs. As derivations declare everything the need, then it should be possible to create a Software bill of materials, however what is SPDX? | 00:11:39 |
| nixinator | In reply to @mlieberman85:matrix.org* there is some nix code that can calculate licenses of packages, maybe the could be adapted for your needs. As derivations declare everything they need, then it should be possible to create a Software bill of materials, however what is SPDX? | 00:11:52 |
| Sandro | Spdx is the standard shorthand | 00:39:06 |
| Sandro | Our variables for licenses should be very close to them | 00:39:18 |
| nixinator | i see...very 'interesting'... | 00:52:51 |
| nixinator | In reply to @mlieberman85:matrix.orghttps://gist.github.com/MatthewCroughan/bd05e78f2e3abc70ab635029ea456d27 , you can thank matt for that... it works well....maybe not exactly what you want but you can get an idea what you can do with a bit of nix lang magic | 00:54:21 |
| Michael Lieberman | I'll be able to take a look later in the weekend, but yeah SPDX is a spec for bill of materials as well as also a standard that fits the spec. Put simply it asks for stuff like name of package, version, license, and then there's a whole load of optional stuff that can be included like URL, checksum of the package, etc. I recognize that a lot of this stuff comes for free in Nix derivations, narinfo, etc., but it's useful to come in and validate from the outside. Especially some stuff like Nix built containers. The SBOM can be used to validate the container contents after the fact. It's something that can also be distributed alongside the container which won't include the derivation info inside the container and the SPDX standard is becoming more adopted. Thanks for the link though. I'll take a closer look in a couple of days. | 02:50:53 |
| 25 Jul 2021 | ||
| nixinator | In reply to @mlieberman85:matrix.orgsuper, it maybe be possible to calculate this SBOM after the thing is built, but only if the software is 100% reproducable. Then it's just a matter of hashing the outputs, and create a database of what hashes match what derivations. Aynway, what ever you want to do, nix probably is the closing thing that can do it the world right now. PM me if your interested in things around this. | 16:24:03 |
 ris_ | ugh varnish https://nvd.nist.gov/vuln/detail/CVE-2021-36740 | 18:18:29 |
| ris_ | fixes for 6.0 branch and 6.5 branch | 18:18:51 |
| ris_ | we have 6.0 branch, 6.2 and 6.3 branches | 18:19:04 |
| ris_ | slightly encouraging is how similar the patches are for 6.0 and 6.5 | 18:19:41 |
| ris_ | so patches for 6.2 and 6.3 should be some interpolation of the two | 18:20:28 |
| Sandro | If we don't have the 6.5 branch the maintainer is really active | 18:48:23 |
 @grahamc:nixos.org |
anyone have sources to back this up? sounds like unsubstantiated FUD to me | 19:00:37 |
| hexa | https://www.microsoft.com/en-us/windows/windows-11-specifications | 19:51:20 |
| hexa | UEFI, Secure Boot capable | 19:51:28 |
| hexa | * UEFI, Secure Boot capable | 19:51:32 |