2015-04-10 14:20 GMT-06:00 Christian Theune <[email protected]>: > Hi, > >> On 10 Apr 2015, at 22:16, Domen Kožar <[email protected]> wrote: >> >> >> That's what I meant - sitting down together (sprints!) and writing those >> tools to help us automate security vulns monitoring for Nix. > > So the next level on discussion from there would be: what kind of tooling to > people expect and what workflow should they support?
I think the typical sysadmin attitude towards security is "I don't have time for this, but I still gotta cover my ass". So it would be nice to have a "set and forget" type of tool that can be trusted to automatically (or semi-automatically) pull in out-of-band security patches, similar to how Ubuntu security updates work. > Is there anything in peoples heads already? Is that something that I just > missed by being late to the game and the “work just needs to be done”? Or are > we at the point of “need some design that the community agrees upon”? Speaking of things in my head, I have been thinking about something related to this... I think it would be useful to have a "bump bot" for nixpkgs that could scan meta data and catalog exactly which packages are out of date. The bot would pull data from multiple sources (package mirrors, other distros, security feeds) to warn about major version bumps and security advisories. Maintainers could then use output from the bot to see at a glance which of their packages are out of date. Maybe even with a web interface with graphs and charts to compare against other Linux distros and upstream. Distrowatch already does something similar for select few important packages. That's my practical solution to the opaqueness of manually comparing package versions in nixpkgs to a security feed that we trust someone is actually watching. Just throwing that out there. If it sounds useful, give me some tips/encouragement and I might prototype something. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
