Re: [Nix-dev] Announcing: NixOS Security Team, and Request for Comments

[Christian Theune]

Hi,

great to see this initiative, thanks! (I’m personally extremely busy so I 
missed the forming thread in early December).

At the Flying Circus we’re currently a bit behind (still running on 15.09) but 
are going to move to a newer version soon.

We’re spending quite a bit of time reviewing the vulnerabilities we see when 
using Vulnix and add package updates to our fork. I’d love if we could 
contribute more directly to upstream. However, even after updating, we’ll 
likely be a bit behind all the time. In our experience we can’t afford a major 
update every 6 months but at most once a year. So in that case we’ll likely be 
reviewing and contributing patches that either need porting (either 
forward/backward).

I guess as a community we are focusing on updates for the most recent release. 
But I can see more people than just us (the Flying Circus) to be interested in 
fixes that have a longer scope. I’m not talking about 5 years, but maybe more 
than 6 months. ;)

Cheers,
Christian

> On 6 Jan 2017, at 03:12, Graham Christensen  wrote:
> 
> 
> (cross-posted to nix-dev for discussion.)
> 
> Hello Nixians,
> 
> This morning the NixOS Security Team was formalized in a PR to the
> homepage: https://github.com/NixOS/nixos-homepage/pull/123.
> 
> This is now public at https://nixos.org/nixos/security.html.
> 
> This information is currently listed as follows:
> 
> 
>Graham Christensen gra...@grahamc.com
>GPG Key: 0xFE918C3A98C1030F
>GPG Fingerprint: BA94 FDF1 1DA4 0521 2864 C121 FE91 8C3A 98C1 030F
> 
>Franz Pletz fpl...@fnordicwalking.de
>GPG Key: 0x846FDED7792617B4
>GPG Fingerprint: 8A39 615D CE78 AF08 2E23 F303 846F DED7 7926 17B4
> 
>Domen Kožar do...@dev.si
>GPG Key: 0xC2FFBCAFD2C24246
>GPG Fingerprint: E96C 15A0 8D17 CE3B 17B0 C7AB C2FF BCAF D2C2 4246
> 
>Rob Vermaas rob.verm...@gmail.com
>GPG Key: 0xE114A5F264A8AE8E
>GPG Fingerprint: 96BF 75A5 3DEE 1F21 5F0C 979C E114 A5F2 64A8 AE8E
> 
> 
> At this time, none of us have signed each other's keys. There is some
> discussion about this in the pull request (linked above) but basically
> it boils down to this:
> 
> We do each trust the work and intentions of each other, but this
> doesn't necessarily translate in to confirmed identity.
> 
> Signing keys has a lot of meaning around verifying identity. Until
> each of us are able to be in the same room and check identification, we
> can't very well assert each other's identities.
> 
> This is an effort to preserve the intentions of the web of trust... and
> this is where we get to the "request for comments" on how the Nix
> community would like for us to proceed on this front.
> 
> If you have any opinions or feedback, please feel free to reply to the
> nix-dev email list, and _not_ the GitHub issue so as to keep further
> conversation on this list.
> 
> 
> Thank you,
> Graham Christensen
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

--
Christian Theune · c...@flyingcircus.io · +49 345 219401 0
Flying Circus Internet Operations GmbH · http://flyingcircus.io
Forsterstraße 29 · 06112 Halle (Saale) · Deutschland
HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick



signature.asc
Description: Message signed with OpenPGP
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Announcing: NixOS Security Team, and Request for Comments

[Colin Putney]

On Fri, Jan 6, 2017 at 11:01 AM, zimbatm  wrote:

> In relation to GPG key signing, I think it's safe to trust online
> identities it they are established trough enough channels. That's basically
> what keybase.io is doing, they are a point of contact but the proof of
> identity is distributed on multiple services. Personal verification is just
> another target.
>
> Someone who would want to subvert that process would have to Impersonate
> all these services through MITM and also maintain that in place if the user
> is moving between connections (and somehow not trigger chrome's certificate
> monitoring).
> As far as I know only state actors might be able to pull that off. But
> they also have access to zeroday to hack and extract the private key
> directly which seem more practical to me.
>
> Anyways, it's good that you want to be careful, that's just my thinking.
>
In this context, we don't actually care about identity much. If @rbvermaa
has a passport that says something other than "Rob Vermaas", it doesn't
really matter. What does matter is that we trust the person who committed
so much good code. To that end, maybe the security team should add their
keys to some file in the repository, and then cross-sign from a checkout.

Colin
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Announcing: NixOS Security Team, and Request for Comments

[zimbatm]

In relation to GPG key signing, I think it's safe to trust online
identities it they are established trough enough channels. That's basically
what keybase.io is doing, they are a point of contact but the proof of
identity is distributed on multiple services. Personal verification is just
another target.

Someone who would want to subvert that process would have to Impersonate
all these services through MITM and also maintain that in place if the user
is moving between connections (and somehow not trigger chrome's certificate
monitoring).
As far as I know only state actors might be able to pull that off. But they
also have access to zeroday to hack and extract the private key directly
which seem more practical to me.

Anyways, it's good that you want to be careful, that's just my thinking.

On Fri, 6 Jan 2017, 02:13 Graham Christensen,  wrote:

>
> (cross-posted to nix-dev for discussion.)
>
> Hello Nixians,
>
> This morning the NixOS Security Team was formalized in a PR to the
> homepage: https://github.com/NixOS/nixos-homepage/pull/123.
>
> This is now public at https://nixos.org/nixos/security.html.
>
> This information is currently listed as follows:
>
>
> Graham Christensen gra...@grahamc.com
> GPG Key: 0xFE918C3A98C1030F
> GPG Fingerprint: BA94 FDF1 1DA4 0521 2864 C121 FE91 8C3A 98C1 030F
>
> Franz Pletz fpl...@fnordicwalking.de
> GPG Key: 0x846FDED7792617B4
> GPG Fingerprint: 8A39 615D CE78 AF08 2E23 F303 846F DED7 7926 17B4
>
> Domen Kožar do...@dev.si
> GPG Key: 0xC2FFBCAFD2C24246
> GPG Fingerprint: E96C 15A0 8D17 CE3B 17B0 C7AB C2FF BCAF D2C2 4246
>
> Rob Vermaas rob.verm...@gmail.com
> GPG Key: 0xE114A5F264A8AE8E
> GPG Fingerprint: 96BF 75A5 3DEE 1F21 5F0C 979C E114 A5F2 64A8 AE8E
>
>
> At this time, none of us have signed each other's keys. There is some
> discussion about this in the pull request (linked above) but basically
> it boils down to this:
>
> We do each trust the work and intentions of each other, but this
> doesn't necessarily translate in to confirmed identity.
>
> Signing keys has a lot of meaning around verifying identity. Until
> each of us are able to be in the same room and check identification, we
> can't very well assert each other's identities.
>
> This is an effort to preserve the intentions of the web of trust... and
> this is where we get to the "request for comments" on how the Nix
> community would like for us to proceed on this front.
>
> If you have any opinions or feedback, please feel free to reply to the
> nix-dev email list, and _not_ the GitHub issue so as to keep further
> conversation on this list.
>
>
> Thank you,
> Graham Christensen
>
> --
> You received this message because you are subscribed to the Google Groups
> "nix-security-announce" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nix-security-announce+unsubscr...@googlegroups.com.
> To post to this group, send email to
> nix-security-annou...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/nix-security-announce/87bmvluead.fsf%40NdNdNx.supersecrets.gsc.io
> .
> For more options, visit https://groups.google.com/d/optout.
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Announcing: NixOS Security Team, and Request for Comments

[Graham Christensen]

(cross-posted to nix-dev for discussion.)

Hello Nixians,

This morning the NixOS Security Team was formalized in a PR to the
homepage: https://github.com/NixOS/nixos-homepage/pull/123.

This is now public at https://nixos.org/nixos/security.html.

This information is currently listed as follows:


Graham Christensen gra...@grahamc.com
GPG Key: 0xFE918C3A98C1030F
GPG Fingerprint: BA94 FDF1 1DA4 0521 2864 C121 FE91 8C3A 98C1 030F

Franz Pletz fpl...@fnordicwalking.de
GPG Key: 0x846FDED7792617B4
GPG Fingerprint: 8A39 615D CE78 AF08 2E23 F303 846F DED7 7926 17B4

Domen Kožar do...@dev.si
GPG Key: 0xC2FFBCAFD2C24246
GPG Fingerprint: E96C 15A0 8D17 CE3B 17B0 C7AB C2FF BCAF D2C2 4246

Rob Vermaas rob.verm...@gmail.com
GPG Key: 0xE114A5F264A8AE8E
GPG Fingerprint: 96BF 75A5 3DEE 1F21 5F0C 979C E114 A5F2 64A8 AE8E


At this time, none of us have signed each other's keys. There is some
discussion about this in the pull request (linked above) but basically
it boils down to this:

We do each trust the work and intentions of each other, but this
doesn't necessarily translate in to confirmed identity.

Signing keys has a lot of meaning around verifying identity. Until
each of us are able to be in the same room and check identification, we
can't very well assert each other's identities.

This is an effort to preserve the intentions of the web of trust... and
this is where we get to the "request for comments" on how the Nix
community would like for us to proceed on this front.

If you have any opinions or feedback, please feel free to reply to the
nix-dev email list, and _not_ the GitHub issue so as to keep further
conversation on this list. 


Thank you,
Graham Christensen


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev