{^_^} has quit [Read error: Connection reset by peer]
{^_^} has joined #nixos-security
justanotheruser has quit [Ping timeout: 258 seconds]
Synthetica has quit [Quit: Connection closed for inactivity]
justanotheruser has joined #nixos-security
justanotheruser has quit [Read error: Connection reset by peer]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 258 seconds]
justanotheruser has joined #nixos-security
pie_ has quit [Ping timeout: 252 seconds]
Synthetica has joined #nixos-security
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
pie_ has quit [Ping timeout: 258 seconds]
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
pie___ has joined #nixos-security
pie_ has quit [Ping timeout: 248 seconds]
pie___ has quit [Remote host closed the connection]
pie___ has joined #nixos-security
hmpffff has joined #nixos-security
pie_ has joined #nixos-security
pie___ has quit [Ping timeout: 246 seconds]
hmpffff has quit [Quit: nchrrrr…]
justanotheruser has quit [Quit: WeeChat 2.4]
hmpffff has joined #nixos-security
hmpffff has quit [Client Quit]
marek has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]
pie_ has quit [Ping timeout: 248 seconds]
hmpffff has joined #nixos-security
aminechikhaoui has joined #nixos-security
<aminechikhaoui>
Hello, I'm posting the same question I asked in #nixos-chat:
<aminechikhaoui>
I'm curious how does tools such as https://www.rapid7.com/products/insightvm/ do the package scanning in a live system ? does it rely only the package version or does it need to support each package manager to know if an installed package has security updates ?
<aminechikhaoui>
but for more general context, I'm trying to understand what would it take to have something like vulnix that can run in a live system without necessarily having the derivations available
hmpffff has quit [Quit: nchrrrr…]
pie_ has joined #nixos-security
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
hmpffff has joined #nixos-security
<aminechikhaoui>
what if we had a path that lists the applied CVE/security patches under /nix/store/<pkg>/nix-support/security-patches for example ?
<aminechikhaoui>
then a tool like vulnix wouldn't need to have the derivation available to figure out if patches are applied
<flokli>
aminechikhaoui: I guess this would require some hacks in nixpkgs, while we currently simply apply patches and match on the name there
<aminechikhaoui>
could be even <pkg>/nix-support/patches with the patches filenames in the file, which gets generated automatically from the patch attribute in the derivation
<aminechikhaoui>
then we teach vulnix to check there and look for CVE identifiers
<aminechikhaoui>
but since there is already a convention for patching CVEs, maybe it's not that much of a big change, although I'm not really sure
<pie_>
tired so didnt look carefully, what if theres multiple vulnerable derivations
<pie_>
i havent looked at this infra at all yet so idk how it works
<pie_>
(well, i guess you could have (package, [cve list]) pairs, so that would deal with that (?))
<pie_>
(so nevermind i guess)
<aminechikhaoui>
pie_ yeah, vulnix already looks at the dependency graph so it would look at the closure of a pkg and generate the same output which is as you said pkg: [cve list]
<pie_>
cool
<pie_>
sooo many things to learn about x3
<pie_>
aminechikhaoui, oh sorry i completely missed that you parametrized over <pkgs>
<pie_>
* pkg
<pie_>
thats what i get for being a lazy reader
<pie_>
personally, i like the idea
<pie_>
then the issue is just wondering whether the patch is just there or REALLY applied! ;P
<aminechikhaoui>
well if it doesn't apply the build would fail right ?
<pie_>
i suppose
<pie_>
but i was mostly joking
<aminechikhaoui>
:D
<pie_>
how does nix deal with metadata? it ends up in the drv?
<pie_>
this might be a bit slippery sloping it but where does one draw the line between what ends up in random support file and what ends up in the drv?
<pie_>
well ok, i guess what ends up in the drv (?) would just be stuff that is critical to nix functioning properly
<pie_>
what do you mean that we would need changes in nixpkgs for your idea?
<aminechikhaoui>
pie_ I meant if we want to add a file to nix-support/patches then stdenv's setup.sh needs to handle that
<pie_>
im not familiar with stdenvs relation to this (or how nix-support in general works, ive *seen* that it exists)
<{^_^}>
#46141 (by Profpatsch, 37 weeks ago, open): Manual: document the canonical files in `/nix-support`
<aminechikhaoui>
yeah I don't have much knowledge on stdenv's machinery as well, but I know that patches is an stdenv.mkDerivation attribute so in theory it can be used to automatically create such file