| 30 Jul 2021 |
 Linux Hackerman | The hardened profile breaks things. Don't use it if it break things you need. | 14:39:22 |
| Linux Hackerman | Sorry, I'm in a bit of a foul mood for unrelated reasons and this probably isn't the best disposition to be helping people in. I'll be off. | 14:40:27 |
 tnias | Especially on a desktop/workstation it is not usable. Would not recommend. | 14:41:14 |
|  philipp changed their profile picture. | 20:21:15 |
 Michael Lieberman | Has anyone taken a look at OpenSSF's new SLSA standard for supply chain security? https://slsa.dev/ Seems like just by its nature Nix hits the highest level for most things. https://slsa.dev/ | 21:00:55 |
 Sandro | Definitely not A | 22:45:29 |
| Sandro | And most of the other could be circumvented but not in the default configuration. Also we could have bad npm packages, too. | 22:46:19 |
| Sandro | But we avoid some attack vectors due to the build sandbox | 22:46:32 |
| Michael Lieberman | Interesting. I'm not super deep yet on Nix internals. Does SLSA seem like a reasonable standard? It's pretty new and based on Google's internal Binary Authorization standards. I'm a bit cautious on some of the claims the SLSA standard makes because it relies on "trusted control plane" and similar. If so is there any doc or anything I could read up on regarding current Nix security concerns (that aren't confidential) | 22:53:46 |
| Sandro | I don't know if it is reasonable but I didn't read to much weird stuff yet. | 23:09:03 |
| Sandro | Nix has probably all of the security problems that come with a big open source project where not everyone knows everyone and every part of the code | 23:09:56 |
| 31 Jul 2021 |
 Roos |
Dependencies have their own SLSA ratings, and it is possible for a SLSA 4 artifact to be built from SLSA 0 dependencies
Specially this.
| 08:30:08 |
| Roos | We may have provenance, build signature and somewhat reproducible builds (arguable), but we're still pulling stuff from unknown sources. | 08:31:07 |
| Sandro | Yeah well, we need to get the source from somewhere | 08:33:14 |
| Roos | IMHO, SLSA 2 is missing non-repudiability. | 08:33:36 |
| Roos | In reply to @sandro:supersandro.de
Yeah well, we need to get the source from somewhere Yes. Security-sensitive processes do review source changes before using them, we don't. | 08:34:36 |
 disrupt_the_flow | In reply to @linus.heckemann:matrix.mayflower.de
The hardened profile breaks things. Don't use it if it break things you need. Yeah I know and I fixed some but this specific one is weird. | 08:35:03 |
| Roos | Interesting read, thanks ^^ | 08:36:49 |
| Sandro | In reply to @roosemberth:orbstheorem.ch
Yes. Security-sensitive processes do review source changes before using them, we don't. I am pretty sure security sensitive processes also try to use as little packages as possible and not literally anything. I think we do it sometimes for core packages but not for every package | 08:37:34 |
| Roos | Oh, I didn't know we did source-review! | 08:38:31 |
 ris_ | .... depends what you mean by source review .... | 18:51:54 |
| ris_ | and what sort of attack scenario we'd be trying to catch by such a review | 18:52:31 |
| ris_ | there are few if any packages where we review the (source) diff of every bump | 18:54:20 |
| ris_ | and i'm not sure there are any distros that do | 18:54:38 |
| ris_ | anything other than an extremely minimal distro trying to do that would get so bound down in molasses that i would imagine any security benefits from "supply chain security" would be outweighed by the slowness of it all. | 18:55:59 |
| ris_ | anyway... | 18:56:04 |
| ris_ | (was going to go on for some rabbitmq/elixir assistance but i think i've figured it out | 19:15:24 |
| ris_ | * (was going to go on for some rabbitmq/elixir assistance but i think i've figured it out) | 19:15:29 |
| ris_ | actually it does look like i'll need to call in some rabbitmq help on https://github.com/NixOS/nixpkgs/pull/132242 | 21:46:24 |
| Michael Lieberman | In reply to @r_i_s:matrix.org
anything other than an extremely minimal distro trying to do that would get so bound down in molasses that i would imagine any security benefits from "supply chain security" would be outweighed by the slowness of it all. I think it’s a balance. Not everything needs to be slsa4. And you can be slsa4 for your source and build but include slsa0 dependencies | 21:54:15 |
