06:19 <andi-> You might want to think about expiration dates for signatures so nobody is able to present you an old channel bump (with severe issues) instead of the current one... Ofc that isn't really in the spirit of how the binary cache currently work so you'll be back at a nixos.org/channels/… file that must be generated regulary (daily? weekly?). Just my 2 cents..

18:11 <pie___> andi-, would that be handled by not allowing "upgrading" to a version older than the current one unless the user explicitly requests it?

18:12 <pie___> i think i heard about hackage implementing something called the Update protocol or something that might be interesting though

21:44 <xorAxAx> hmm, i am currently comparing https://www.debian.org/security/ against the nixpkgs repository and i e.g. find gs unpatched in nixpkgs

21:45 <xorAxAx> is there any coordination of CVE's with the nixos security team in general?

22:10 <pie_> xorAxAx, nor sure how up to date but i found the following informative, https://www.youtube.com/watch?v=6esAi2OxULo

22:10 <pie_> there are also issues on github discussing security and stuff, also this channel

22:10 <pie_> idk what the general state of things is though

22:11 <pie_> i assume youve seen https://nixos.org/nixos/security.html

22:11 <xorAxAx> yes

22:11 <pie_> andi has been working on some web ui showing current patch statuses its up somewhere...

22:12 <pie_> but i think thats just a frontend to vulnix (not sure)

23:16 <andi-> Not a vulnix Frontend :) https://broken.sh/