!RROtHmAaQIkiJzJZZE:nixos.org

NixOS Infrastructure

483 Members
Next Infra call: 2024-07-11, 18:00 CEST (UTC+2) | Infra operational issues backlog: https://github.com/orgs/NixOS/projects/52 | See #infra-alerts:nixos.org for real time alerts from Prometheus.151 Servers

Load older messages


SenderMessageTime
27 Jun 2026
@emilazy:matrix.orgemilybecause then you might as well skip the key12:05:36
@hexa:lossy.networkhexawe should get DNSSEC12:05:42
@hexa:lossy.networkhexathat shit is so complicated that attackers tend to forget it is in place12:06:00
@emilazy:matrix.orgemilyif you secure the transit enough that you feel you can trust any key coming down the wire then you don't need to sign the packages at all12:06:20
@emilazy:matrix.orgemilytlog as key distribution mechanism would work though :)12:06:56
@joerg:thalheim.ioMic92
In reply to @hexa:lossy.network
already deployed, sorry :)
Okay should be fine
12:07:27
@elisaado:elisaado.comEli Saado it depends on the threat model, transit can be very secure but if the server serving the packages is compromised an attacker can still serve malware if packages aren't signed 12:07:27
@hexa:lossy.networkhexaI mean, we trust the key currently sitting on github in nixpkgs12:07:57
@hexa:lossy.networkhexaso we could also just fetch that12:08:03
@emilazy:matrix.orgemilyideally we get Nixpkgs signed too one day12:09:23
@emilazy:matrix.orgemilyyes my point is that if you fetch new package signing keys like that without some other chain of trust then you can still do that12:09:54
@wamserma:nixos.devwamsermatlog sounds nice. + publishing a hash in a few different places as RoT?12:10:16
@emilazy:matrix.orgemilytbh Merkle tree certs is what would be ideal, but that'd be a whole thing to teach Nix about12:10:16
@emilazy:matrix.orgemilyyou can do better than that12:10:27
@emilazy:matrix.orgemilyhttps://witness-network.org/12:10:38
@emilazy:matrix.orgemilyespecially with WebPKI adopting MTCs with tlogs as the source of truth for certs there's a lot of nice things happening12:11:19
@wamserma:nixos.devwamsermadid someone mention SLSA yet?12:13:09
@hexa:lossy.networkhexayes, tooon in 202212:13:58
@hexa:lossy.networkhexaRedacted or Malformed Event12:14:03
@hexa:lossy.networkhexaRedacted or Malformed Event12:14:09
@wamserma:nixos.devwamserma(just being snarky, going full SLSA would be leaping instead of taking this in reasonable steps)12:15:26
@hexa:lossy.networkhexagiven that this rom is lossy12:15:43
@hexa:lossy.networkhexaRedacted or Malformed Event12:15:49
@hexa:lossy.networkhexay'all should schedule a meeting and discuss options12:15:58
@hexa:lossy.networkhexaand come back with a protocol12:16:03
@wamserma:nixos.devwamsermai can offer this as a thesis topic :)12:20:24
@vcunat:matrix.orgVladimír ČunátThe GC issues need deploying some updates on the builders (as well), right?13:14:51
@joerg:thalheim.ioMic92 hexa (signing key rotation when): did this presumably? Because the branch is merged. 13:17:58
@vcunat:matrix.orgVladimír Čunát

A quick check didn't seem that way:

[root@elated-minsky:~]# ls -l /run/current-system
lrwxrwxrwx 1 root root 93 Jun 27 00:00 /run/current-system -> /nix/store/hy3xflm3y9ckb8zrdv73gb63xgmycw3g-nixos-system-elated-minsky-26.05.20260621.c1613e5
13:18:38
@joerg:thalheim.ioMic92Okay, feel free to update.13:19:02

Show newer messages


Back to Room ListRoom Version: 6