<gchristensen>
hey fractalcat, nice to have you 'round :) I look forward to talking with you about security stuf
<gchristensen>
but for now, it is bed time. night!
<fractalcat>
hey gchristensen, talk to you some other time - night!
<pie__>
it's cats all the way down? 0.o
<andi->
pie__: well just one ;)
<pie__>
a _fractal_ cat
<IdleBot_a849b5b4>
pie__ : not all fractals are completely self-similar, and it does not have to start at the top level; like coastlines
<pie__>
yeah i know but thats less fun :P
<IdleBot_a849b5b4>
We are in a channel with «security» in the name, truth is never fun here; but sometimes !!FUN!!
<pie__>
(oh god)
<pie__>
that makes me want to tell security horror anecdotes but i dont actually know any because im not working in the inddustry xD
<adisbladis[m]>
Would we want to have announcements sent out for all CVE fixes?
<adisbladis[m]>
At the very least an RSS feed with all fixed CVEs would be good
<IdleBot_a849b5b4>
This should also include all Firefox etc. updates, regardless whether we activelly know about any CVEs…
adisbladis has joined #nixos-security
<pie__>
nix-feed tool? :p
<adisbladis[m]>
I started hacking on something yesterday
<adisbladis[m]>
It extracts CVE fixes from commit history
<pie__>
hhm
<fractalcat>
adisbladis[m]: that alone would be very useful
<fractalcat>
pie__: yeah, i had a nonintegral hausdorff dimension last time i checked :)
<pie__>
;D
<fractalcat>
IdleBot_a849b5b4: i'm pretty new to nixos and not familiar with how packaging/releases normally happen, but often in other distros the security advisories would come out of the packaging process - so an upstream security fix would prompt an advisory downstream
<fractalcat>
kinda related to my question on nix-devel wrt whether the scope of the advisories list was nixos-specific issues only or not
<andi->
adisbladis: based on what data? Just references to CVEs or more "complex" stuff?
<andi->
Not sure if my mail ever made it to the ML... But there is many different ways we could do that. Give that many people just push an update to a package without reading through a brief changelog (or just don't care about the stable channels) relying on someone mentioning/marking/tagging/... a security fix will probably not work.. I have been angry a few times when people just merged ryantms stuff on
<andi->
master while it fixed and (then known) issue for 18.03..
<andi->
I have been working on a tool to fix most of that and I'd like to push towards something like the traditional security.distro.org pages where we (at least try) publish (automated?) status reports regarding known CVEs. Problem is probably knowing that something was fixed a while ago but the CVE was still under embargo. So some kind of historical "scanning" is required.
* andi-
is off to the slavery^Woffice
<adisbladis>
andi-: For now just references to CVEs and CVE metadata from mitre
<andi->
adisbladis: ok, that's the easy part. I have that as an rust program that checks all patches (names) and versions etc..
<pie__>
so...we dont actually have anything for package versions other than the version string-convention yeah?
<adisbladis>
andi-: Yeah. I'm not sure exactly what kind of data we want in the announcements in the first place
<adisbladis>
This was for work, but it could also be useful for others
<andi->
One more thing: we should be able to store our classification/notes for any cve. E.g. things might be unaffected on NixOS. We must document that then
<andi->
Vulnix has that feature (called a pkg whitelist) but only one comment per package.. We would want version range/cve/..
<pie__>
inb4 nix ends up with a better metadata database than mitre
<andi->
One we have such data to act on we can just pipe that into mails..
<andi->
Well.. It seems like any distro out there does the same..
<andi->
I have been reading through many of those toolings
<andi->
They are arcane.. They process every single CVE semi-manually..
<andi->
Also it is probably desirable to have a more specific DB then mitre. MITRE just has their CPE + number to text mapping in a fancy way ;)
<adisbladis>
I wish nixcon was sooner. This kind of talk is perfect for that
<andi->
Well I booked flights for nixcon yesterday.. I'll be around the entire week as of now ;)
<adisbladis>
\o/
mmercier has joined #nixos-security
mmercier is now known as mickours
mickours is now known as mmercier
<andi->
In other words: if any of you want to talk about stuff, hack on some code,... I would be up for a weekends trip to $wherever (in Europe).. Been waiting on such a discussion for months :)
* fractalcat
looks at nixcon
<fractalcat>
fair distance, but imagine i can convince my employer it makes sense :)
<fractalcat>
europe is a bit far for a weekend trip though
<fractalcat>
i'll talk to people next week and see if i can get some time to pitch in, thanks for the helpful comments everyone
<andi->
fractalcat: thanks for brining that topic up :)
<adisbladis>
fractalcat: Where are you located?
<fractalcat>
adisbladis: sydney, australia. so pretty far from most places.
<fractalcat>
started a new job this week at a place that's planning on nixos for all prod deployments, thus my sudden interest
<andi->
\o/
<adisbladis>
Sweet :)
* andi-
is still stuck at slowly subverting everything by supplying super simple and reliable nix shell files instead of random bash scripts and VM images..
<adisbladis>
I think I would love australia if it wasn't so damn far away
<adisbladis>
I already think asia is too far away from a lot of interesting things
<andi->
adisbladis: where are you located?
<adisbladis>
andi-: Hong Kong
<andi->
isn't that also pretty much as far away as possible from anything?
<fractalcat>
alright time for me to head home, i'll be back here monday o/
<andi->
the earth being a sphere is lacking direct connections between all the "important" places.. :)
fractalcat has quit [Quit: WeeChat 2.1]
<adisbladis>
andi-: Yeah.. Looking to move back to Europe this year or early next year =)
<adisbladis>
But that depends on finding a decent job
<andi->
decent jobs are hard.. at least for me with the growing requirements that I establish for me :/
__Sander__ has joined #nixos-security
adisbladis has quit [Ping timeout: 256 seconds]
ckauhaus has joined #nixos-security
pie__ has quit [Ping timeout: 268 seconds]
__Sander__ has quit [Quit: Konversation terminated!]
mmercier has quit [Remote host closed the connection]
mmercier_ has joined #nixos-security
pie__ has joined #nixos-security
pie__ has quit [Ping timeout: 240 seconds]
mmercier_ has quit [Quit: mmercier_]
pie__ has joined #nixos-security
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
{^_^} has quit [Changing host]
{^_^} has joined #nixos-security
ekleog has joined #nixos-security
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
{^_^} has quit [Changing host]
{^_^} has joined #nixos-security
ckauhaus has quit [Quit: Leaving.]
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
{^_^} has quit [Changing host]
{^_^} has joined #nixos-security
contrapumpkin has quit [Remote host closed the connection]
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
gchristensen has left #nixos-security ["WeeChat 2.0"]
gchristensen has joined #nixos-security
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
{^_^} has quit [Remote host closed the connection]