elvishjerricco has quit [Ping timeout: 258 seconds]
elvishjerricco has joined #nixos-security
elvishjerricco has quit [Max SendQ exceeded]
elvishjerricco has joined #nixos-security
MichaelRaskin has quit [Quit: MichaelRaskin]
periklis has joined #nixos-security
pie__ has joined #nixos-security
<pie__> is it possible to mark packages to not be checked for in the binary cache? / how can I avoid leaking data (I guess just hashes?) to the world?
periklis has quit [Remote host closed the connection]
<tilpner> Can you keep the cache private?
<tilpner> Oh, you want to avoid local builds to not be queried for in available caches?
<tilpner> (I said that wrong, but you probably got what I meant)
<tilpner> One option would be to only use trusted caches over trusted transport methods (e.g. own mirror with VPN)
<tilpner> Then there's preferLocalBuild, but I don't know how strong that setting is
<tilpner> And allowSubstitutes = false;
<tilpner> ^ pie__
<pie__> thanks ill check it out
<pie__> I guess local mirror might not be a bad idea
<pie__> well, thats probably not as simple as it sounds
<pie__> ill definitely start with allowsubstitutes = false
<pie__> is there possibility of leaking anything other than hashes?
<tilpner> If you have a server with storage, a local mirror is fairly simple
<tilpner> But I've decided to mostly ignore hash leakage
<pie__> sure but what decides what goes in the mirror
<tilpner> I can only ignore that because my cache is private
<tilpner> Everything from https://nixos.org/channels/nixos-unstable/store-paths.xz could go there
<tilpner> (Or whatever channel you're on)
<tilpner> Then do that periodically and you have a mirror
<pie__> isnt the nixos cache like a gajillion terabytes
<tilpner> Yes, because it keeps the entire history and never deletes anything (AFAIK)
<pie__> hm well I guess I wouldnt have to mirror old builds
<tilpner> But you don't have the same restriction
<tilpner> I think a single generation is about 200-300GB
<tilpner> And when you update it can re-use a bunch of that (unless something essential changed, in which case...)
<pie__> sure
<tilpner> Alternatively you could have a hydra fetch just the things you need
<tilpner> Which would mean hash leakage to fastly/nixos if you're not careful though
<tilpner> (Which I don't think is a problem, but you might decide differently)
<tilpner> Just mirroring everything can be done without hash-leakage and without a hydra
<pie__> wonder if it would suffice to just add a salt file to everything
<pie__> eh, thats complicated. if we ever use nix in production for whatever this is ill just ask
<tilpner> (You would just do curl -L https://nixos.org/channels/nixos-unstable/store-paths.xz | xz -d | xargs nix-store -r in a timer)
<pie__> where thats = salt files
<pie__> and complicated = not the basic implementation, but making sure it actually does what it says on the tin
<andi-> just build everything from source! :)
<pie__> im actually testing abusing using nix to process binary samples xD
<pie__> probably wont scale though, im just using it locally
<pie__> then again, with how slow the tools are, nix is probably fie
<pie__> fine
<pie__> where using = as the runner for stuff
periklis has joined #nixos-security
pie__ has quit [Ping timeout: 250 seconds]
periklis has quit [Ping timeout: 246 seconds]
<pie_> im told ghidra source is out
jpo-joyent has quit [Ping timeout: 264 seconds]
jpo-joyent has joined #nixos-security
erictapen has quit [Ping timeout: 245 seconds]
<andi-> CVE-2019-9193 is a nice example of why just requesting a CVE for everything isn't that great.. Several institutions just "warn" about it while it is actually a documented feature that just seems to surface due to wrong configurations... https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/ is a nice article to that..