#nixos-security on 2019-05-29

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

00:52 Synthetica has quit [Quit: Connection closed for inactivity]

04:37 timokau[m] has quit [Remote host closed the connection]

04:42 timokau[m] has joined #nixos-security

05:21 n_db has quit [Remote host closed the connection]

08:00 pie_ has quit [Ping timeout: 258 seconds]

08:58 pie_ has joined #nixos-security

08:59 pie___ has joined #nixos-security

09:02 pie_ has quit [Ping timeout: 250 seconds]

09:14 <pie___> random xpost about firefox/thunderbird updates https://security.archlinux.org/ASA-201905-8

09:21 <flokli> uff

13:28 Synthetica has joined #nixos-security

13:47 <pie___> wonder if we could/should do something like SSL Observatory but for build reproductions

13:47 <pie___> (basically a database of input - output hashes?)

13:51 <andi-> What would that serve us? We have r13y.com that is alreayd a step in that direction. What that would be is basically a database that takes all the narinfo files and puts them in a database?

15:27 <ekleog> if we have a third “input-output correspondance signature” field (and maybe a fourth “signer” field) it'd make something really useful IMO

15:27 <ekleog> for the “distrust hydra” long-term objective

15:27 <ekleog> now, it's not at all a priority IMO

15:32 <pie___> dunno how to prevent malicious spam tho

15:36 <ekleog> not sure spam would be a big issue, with no amplification factor

15:41 <pie___> how do you differentiate valid and invalid data

15:42 <pie___> ok thats kind of orthogonal

15:43 <ekleog> yup

15:43 <ekleog> one will be assumed to trust only known signers

15:44 <ekleog> if someone downloads the data and trusts everyone, it's their problem

15:45 <pie___> i figured something somethign web of trust but does that really work

17:06 pie___ has quit [Ping timeout: 272 seconds]

17:43 justanotheruser has quit [Ping timeout: 272 seconds]

18:03 pie_ has joined #nixos-security

19:08 justanotheruser has joined #nixos-security

19:59 justanotheruser is now known as Mr_Notheruser

20:17 Mr_Notheruser has quit [Ping timeout: 252 seconds]

20:18 justanotheruser has joined #nixos-security

20:24 <Foxboron> pie__: My master thesis is about publishing rebuild submission of debian packages on a transparency log

20:27 <Foxboron> ekleogs approach is a bit similar to what we discussed at the reproducible builds summit regarding trusting rebuilders. Leave trust up to the user, but distribute a initial list.

20:47 <pie_> Foxboron, oh huh sounds hard

20:47 <pie_> is the thesis done yet?

20:48 <Foxboron> Delivery on saturday :p

20:48 <pie_> good luck \o/ :D

20:48 <Foxboron> thanks! Interesting topic :)

20:48 <Foxboron> Going to be playing a lot with these concepts in relation to Arch Linux when i'm done with this

22:46 justanotheruser has quit [Read error: Connection reset by peer]

23:23 Synthetica has quit [Quit: Connection closed for inactivity]