Hello Nix People, With the help of Rob and Domen, NixOS has taken two big steps in our security infrastructure. This is especially apt after completing the first 10 weekly security roundups. We have now examined over a thousand vulnerability alerts from LWN, and patched almost 200 packages.
Mailing List: ============= Firstly, we now have a public mailing list, with a public archive to distribute security announcements. This list can be found here: https://groups.google.com/forum/#!forum/nix-security-announce This list is exclusively for security announcements, and discussion around security announcements related to Nix, NixOS, NixPkgs and NixOps. Please subscribe for future security updates, and if you know anyone interested in these updates please let them know it exists, too. This list replaces the stop-gap solution of posting to https://github.com/NixOS/nixpkgs/issues/13515. We are still getting organized around this effort, but we plan to sign official updates with GPG to verify authenticity. Eventually we will publish a list of GPG keys to trust on the public website. For now, you can feel free to trust my key. (See later in this email) Tooling: ======== Secondly, the tooling I've used to generate our roundups has been open sourced. You can find that code on GitHub: https://github.com/NixOS/security I tried to write enough documentation on how it works and how to use it in the management of issues. This tooling is young, but has saved me countless hours of work over the last 10 roundups. I look forward to expanding and improving the tooling over time. What is Next? ============= While I don't have a roadmap formally defined, here are some thoughts. 1. Creating tooling for users to know what CVEs they are impacted by 2. Improving the roundup generation to include CVE severity, impact, etc. in order to prioritize the worst issues first. 3. Progress towards being eligable to join the oss-security "distros" list (https://github.com/NixOS/nixpkgs/issues/14819) GPG: ==== Fingerprint: FE918C3A98C1030F You can find the key here: https://pgp.mit.edu/pks/lookup?op=get&search=0xFE918C3A98C1030F You can see I also reference it in my Twitter biography: https://twitter.com/grhmc/ You can compare the key to how I've signed many commits in nixpkgs: https://github.com/NixOS/nixpkgs/pull/20668/commits Note, though, that I sign my commits with a different subkey: pub rsa4096/0xFE918C3A98C1030F 2014-01-04 [SC] [expires: 2018-01-04] uid [ unknown] Graham Christensen <gra...@grahamc.com> uid [ unknown] Graham Christensen (Contractor) <gra...@clarify.io> uid [ unknown] Graham Christensen <gra...@tumblr.com> sub rsa4096/0x8ED3C0087C86E062 2014-01-04 [E] [expires: 2018-01-04] sub rsa4096/0xACA1C1D120C83D5C 2016-10-21 [S] [expires: 2018-10-21] You can also find me on keybase.io: https://keybase.io/graham Final Notes: ============ Huge thank-you to Domen for moving my security repository to the NixOS organization, Rob for creating the mailing list, and all of the contributors to our first 10 security roundups. Thank you, Graham Christensen P.S. Happy thanksgiving, U.S.A.!
signature.asc
Description: PGP signature
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev