<andi-> You might want to think about expiration dates for signatures so nobody is able to present you an old channel bump (with severe issues) instead of the current one... Ofc that isn't really in the spirit of how the binary cache currently work so you'll be back at a nixos.org/channels/… file that must be generated regulary (daily? weekly?). Just my 2 cents..
<pie___> andi-, would that be handled by not allowing "upgrading" to a version older than the current one unless the user explicitly requests it?
<pie___> i think i heard about hackage implementing something called the Update protocol or something that might be interesting though
infinisil has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
infinisil has joined #nixos-security
justanotheruser has quit [Ping timeout: 264 seconds]
justanotheruser has joined #nixos-security
<xorAxAx> hmm, i am currently comparing https://www.debian.org/security/ against the nixpkgs repository and i e.g. find gs unpatched in nixpkgs
<xorAxAx> is there any coordination of CVE's with the nixos security team in general?
<pie_> xorAxAx, nor sure how up to date but i found the following informative, https://www.youtube.com/watch?v=6esAi2OxULo
<pie_> there are also issues on github discussing security and stuff, also this channel
<pie_> idk what the general state of things is though
<pie_> i assume youve seen https://nixos.org/nixos/security.html
<xorAxAx> yes
<pie_> andi has been working on some web ui showing current patch statuses its up somewhere...
<pie_> but i think thats just a frontend to vulnix (not sure)
justanotheruser has quit [Ping timeout: 246 seconds]
<andi-> Not a vulnix Frontend :) https://broken.sh/
justanotheruser has joined #nixos-security