gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
lassulus has quit [Read error: Connection reset by peer]
lassulus has joined #nixos-security
Synthetica has quit [Quit: Connection closed for inactivity]
justan0theruser has joined #nixos-security
justanotheruser has quit [Disconnected by services]
justan0theruser is now known as justanotheruser
justanotheruser has quit [Ping timeout: 258 seconds]
justanotheruser has joined #nixos-security
infinisil has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
infinisil has joined #nixos-security
justanotheruser has quit [Ping timeout: 255 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 246 seconds]
ckauhaus has joined #nixos-security
Synthetica has joined #nixos-security
infinisil is now known as duh
duh is now known as infinisil
ckauhaus has quit [Quit: WeeChat 2.4]
ckauhaus has joined #nixos-security
LnL7 is now known as LnL
colemickens has quit [Ping timeout: 240 seconds]
Synthetica has quit [Ping timeout: 258 seconds]
Synthetica has joined #nixos-security
colemickens has joined #nixos-security
justanotheruser has joined #nixos-security
Synthetica_ has joined #nixos-security
Synthetica has quit [Ping timeout: 258 seconds]
Synthetica_ is now known as Synthetica
Synthetica has quit [Quit: Connection closed for inactivity]
MichaelRaskin has joined #nixos-security
ckauhaus has quit [Quit: WeeChat 2.4]
<pie_> so i was talking to someone and they didnt feel like bringing up the following here, but i thought it might warrant bringing up;
<pie_> 'Seeing the word "security" next to unquoted bash variables frightens me All around in this file: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix#L37'
<pie_> presumably its not really an issue because its run at nix time so whoever does anything with this has to have the ability to reconfigure the system anyway but...
<pie_> i at least think security relevant code should be held to higher standards? am i making a big deal out of nothing?
<infinisil> (someone = me)
<gchristensen> couldn't hurt to make it better
<pie_> i dont have a good way to make ti work but i feel like we should be shellchecking everything :( , cant really directly shellcheck nix code though
<pie_> ^not meant as a complaint
<gchristensen> yeah it is hard, since it causes mass rebuilds
<pie_> i dont follow
<pie_> shellchecking causes mass rebuilds?
<gchristensen> ah sure
<gchristensen> so we can't just use shellcheck everywhere, because it depends on GHC
<gchristensen> so we can't bootstrap with it
<pie_> oh hm i guess we theoretically could shellcheck at runtime, didnt think of that
<gchristensen> another idea would be to be able to inject it at dynamically and then build everything to see how it goes
<pie_> the farthest i got was thinking we could try like...one time shellcheck on merges or something to see if the baseline is okayish :/
<gchristensen> sort of like how checkMeta works, onl y if you turn it on
<andi-> still every system would depend on ghc.. Shouldn't do that... There mgith be some people that wouldn't mind or even like ghc being in the small set..
<gchristensen> yeah that is out of the question
<pie_> i think this is what i meant with the first "oh hm" <gchristensen> another idea would be to be able to inject it at dynamically and then build everything to see how it goes
<andi-> ahh on merges
<gchristensen> but maybe there could be a shellcheck-a-drv tool
<pie_> could be an optional system thing to enable for nixpkgs hackers
<gchristensen> isnixpkgsshellchecked.com
<pie_> not _YET_
<pie_> :D
<gchristensen> i19d.com
<gchristensen> (lmao)
<andi-> pie_: go ahead, would like to see that :D
<pie_> whats the number btw
<pie_> the other thing has 18
<andi-> number of characters
<pie_> andi-, definitely ENOTIME :(
<pie_> oh
<gchristensen> I was being dumb
<pie_> though this would be more important than the WINE stuff im screwing with
<pie_> i mean, nixos is the advanced-ass tooling-ass people right? ;)
<gchristensen> I'd love to see a route where drv's can be shell-checke'd
<pie_> who needs 20000 maintainers under the sea when you have automation
<pie_> anyway
<andi-> nixpkgs.overlays = [ self:super: { callPackage = *magic* super.callPackage; } ] ?
<gchristensen> oh dear :D
<pie_> (you just need 20000 people to have enough to sample ones that can actually understand the tooling :P)
<andi-> and if that depends on a config option it might not even (always) cause rebuilds
<pie_> something something solve bug classes not bugs, but ill stop spamming memes now
<gchristensen> fewer memes more cool tools
<pie_> i dont know enough about nix semantics to have a clue how strings actually end up as shell code (or shellcode? :P)
<gchristensen> ever examined a drv?
<pie_> ive looked at show-derivation
<infinisil> How about compiling shellcheck statically with https://github.com/nh2/static-haskell-nix, then making a zero-deps shellcheck that could be hosted somewhere and updated separately every so often
<gchristensen> nix show-derivation $(which bash)
<pie_> but isnt a lot of it just magic variables passed to setup.sh
<infinisil> (well it is zero-dep with static compiling)
<pie_> or whichever builder=
<gchristensen> look at `builder`
<pie_> infinisil, hmm intriguing idea
<gchristensen> and `args`
<pie_> gchristensen, what i really mean to say is can we actually theoretically reasonably expect to catch everything?
<gchristensen> everything? no
<pie_> can we reasonably enumerate cases we cant catch?
<pie_> i.e. are we going to be surprised
<andi-> build-time generate shell scripts
<gchristensen> if it were me
<pie_> known unknowns etc
<gchristensen> I'd stop worrying about catching everything and just see what kind of tool I can make as quickly as I can
<pie_> im bad at that
<andi-> maybe start with the generate activation script and (transparently) apply shellcheck on it
<andi-> *generated
<pie_> but yeah i guess if configurations have a lot of common mechanisms per andi- 's above suggestion i guess a lot would be covered by just that + standard setup.sh stuff
<LnL> the way stdenv phases currently work makes this kind of difficult, setup.sh runs eval on some random variables
<pie_> its not important if it doesnt hit the important code though (has positive secondary effects however)
<gchristensen> LnL: nothing a little eval() { cat "$@" > lol.sh; shellcheck lol.sh } can't solve
<andi-> I would focus (at first) on stuff that is executed outside of the sandbox.
<pie_> where by its i mean doing this at all ^
<gchristensen> (:|)
<pie_> gchristensen, christ lol :D
<LnL> hmm, yeah maybe
<pie_> gchristensen, thanks i hate (love) it
<gchristensen> delighted to help
<pie_> does bash actually let you do that
<gchristensen> oh sure
<pie_> sweet
<MichaelRaskin> gchristensen: it should be "echo"
<MichaelRaskin> Or maybe something about «type» to find sources?
<pie_> infinisil, i guess id have an excuse to figure out static builds but ughhhhhh seems like a horrible rabbithole
<pie_> i did see theres unfinished github issues about a static nixpkgs layer or somesuch
<LnL> that would only catch basic stuff tho, ideally shellcheck would have enough context to know what variables are available, etc.
<pie_> tv, last person i talked to about this stuff was you (shellcheck over nixpkgs) ^
<pie_> gchristensen, lol
<pie_> put it in a ctf xD
<gchristensen> one way to escape is to use `builtin`
<gchristensen> [grahamc@Petunia:~]$ builtin type bash
<gchristensen> bash is a shell function
<LnL> gchristensen: I think your idea (or a whitelist of known phase variables) could work to catch basic bash syntax errors with ofborg
<gchristensen> but even that isn't fullproof: [grahamc@Petunia:~]$ builtin() { echo "bash is a shell function" }
<gchristensen> [grahamc@Petunia:~]$ builtin type lol
<gchristensen> bash is a shell function
<gchristensen> LnL: that is a cool idea
<xorAxAx> tainting.
* pie_ searching github issues
<infinisil> Here is what I've been working for the last hours or so: https://github.com/NixOS/nixpkgs/pull/60289
<{^_^}> #60289 (by Infinisil, 31 seconds ago, open): [Experiment] Separate security wrappers from NixOS
<andi-> uargh, not sure I'd like random sudo calls on shell entrance but yeah :-)
<infinisil> andi-: If you need setuid wrappers that's a neat way I think
n_db has quit [Remote host closed the connection]
<infinisil> Alternatively you could just add the setup binary to PATH and call that yourself
<pie_> not really sure what happened here https://github.com/NixOS/nixpkgs/pull/13542
<{^_^}> #13542 (by zimbatm, 3 years ago, closed): RFC: Style and shellchecks
<{^_^}> #21166 (by 3noch, 2 years ago, open): Crazy idea: run ShellCheck on scripts, mkDerivation, runCommand, etc.
<{^_^}> #28001 (by evujumenuk, 1 year ago, open): trivial-builders: use shellcheck instead of 'sh -n'
* pie_ runs off for a bit
n_db has joined #nixos-security
justanotheruser has quit [Ping timeout: 246 seconds]
<pie_> bloody ell, my colds getting worse. mucous membranes are all over the place.
<pie_> crazy idea:
<pie_> wrap the system bash to call shellcheck first
<pie_> of course that doesnt help with coverage per se but it will catch everything! :P (unless you have bashes somewhere else :p
<pie_> and by wrap the system bash i mean wrap the bash derivations in nixpkgs
justanotheruser has joined #nixos-security
<pie_> i guess on that note, do we have any way of measuring code covarage
justanotheruser has quit [Quit: WeeChat 2.4]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 258 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Client Quit]
justanotheruser has joined #nixos-security
colemickens is now known as colemickens[m]1
colemickens[m]1 is now known as colemickens[m]3
colemickens[m]3 is now known as colemickens[m]2
colemickens[m]2 is now known as colemickens
colemickens has quit []
justanotheruser has quit [Ping timeout: 255 seconds]
justanotheruser has joined #nixos-security
<infinisil> code coverage for nix would be neat
<pie_> im not actually sure how much sense that makes
<pie_> ok maybe it doesnt make sense out of context (duh)
justanotheruser has quit [Ping timeout: 258 seconds]