gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
Yakulu has joined #nixos-security
tv has quit [Ping timeout: 246 seconds]
lassulus has quit [Ping timeout: 268 seconds]
tv has joined #nixos-security
lassulus has joined #nixos-security
justanotheruser has quit [Ping timeout: 244 seconds]
justanotheruser has joined #nixos-security
hmpffff has joined #nixos-security
zimbatm has joined #nixos-security
<zimbatm> hi all, just wanted to make sure that you see this: https://github.com/NixOS/nixpkgs/security/policy
<zimbatm> also when you create a new issue there is now a link to the policy: https://github.com/NixOS/nixpkgs/issues/new/choose
<andi-> Yay :-) (ney more lock-in to github ;-))
<samueldr> at least it is superficial
<samueldr> and low engagement for the value, I think
<andi-> yeah
Henson has joined #nixos-security
<Henson> gchristensen: I also have another question, I noticed on the broken.sh site the openssh package has several vulerabilities listed which have been fixed in the Debian version of these packages. Is patching the NixOS version of these not a simple matter of just incorporating the Debian patches into the source?
<Henson> these packages -> this package
<gchristensen> right
<gchristensen> that is often a possible solution (other possible solutions might be upgrading the package)
<gchristensen> but nothing is simple around actulaly _doing_ security updates. it is a steady flow of pretty depressing work
<Henson> oh
<aanderse> "it is a steady flow of pretty depressing work"
<aanderse> motivational speaking at its best
<aanderse> ha ha ha
<gchristensen> Henson: if you'd like to get involved, that would be wonderful
<gchristensen> we try to keep up, but even some big things fall through the cracks
<andi-> Oh, last time I checked on these there were not upstream patches but now there are \o/
<gchristensen> (they are eventually gotte,n of course)
<Henson> well, what are some ways in which I could help out? I like NixOS and computer security, and if it's something I'm able to do I might be able to help
<andi-> Henson: can/will you open a PR for OpenSSH? I could porbably work on it after swapping trains in an hour.
<Henson> andi-: see, I don't even know how to do that. I'm assuming you're saying I should fork the nixpkgs code on github, upgrade or patch the OpenSSH derivation and test it, and then request a pull on the fixed code?
<andi-> Henson: yes
<andi-> if you need any kind of hand along the process let me know
<Henson> andi-: although I've been a long-time Linux and open source user, I've never actually gotten involved in contributing
<Henson> andi-: ok, I'll see what I can do, but it probably won't be soon. I'm swamped at work and am just about to go on vacation, but I love to tinker, and will tinker in the direction of figuring this out.
<andi-> Henson: thats what got me stuck here.. it is so easy to modify and contribute :-)
<gchristensen> Henson: yeah :) easy to do! welcome to the community :)
<Henson> :-)
<andi-> I have been thinking about posting new "findings" of broken.sh to this channel automatically. Would that just be spam or actually be helpful? (Will have to restrucutre a bit of code for that to work...)
<aanderse> <3 Henson
<{^_^}> Henson's karma got increased to 1
<andi-> (I have this weekend free for hacking on things since I am cat-sitting ay my parents ^^)
<samueldr> andi-: maybe try it out and see; if it's too much another channel could be used for that purpose I figure
<gchristensen> yeah
<gchristensen> it might be a cool way to give a casual " hey maybe try this one out"
<gchristensen> maybe {^_^} or another bot could learn how to respond to !cve, and a random CVE is dished out for looking at :P
<andi-> I am trying to get some ground work done towards using it as an API to check revisions (And compare them). While working on that I am trying to figure out what else could/should be changed.
<aanderse> "I have been thinking about posting new "findings" of broken.sh to this channel automatically." <- please
<andi-> alright, I'll try to work towards that. It will probably start out as a listing/API endpoint on the website and then eventually we can feed that to a bot.
<gchristensen> andi-: if you'd like I can let you post through {^_^}
<andi-> gchristensen: well I am not at the point where I have a signal that I can just emit when something new arrives. So far the whole process doesn't care if it was executed now or yesterday. Also doesn't know about the previous state. I basically try to create all missing entries on every new run.
justanotheruser has quit [Ping timeout: 248 seconds]
<gchristensen> right
<gchristensen> well when you're ready, if you'd like, we could set that up
<andi-> :-)
<andi-> sure
<gchristensen> (it can be done with curl or a proper rabbitmq client)
<andi-> I want to remove intermediate processing steps right now... E.g. it takes n + 2 steps right now to generate a new version of the page. (n being the revisions in the channels)
<gchristensen> ahh
justanotheruser has joined #nixos-security
<Henson> I have a question about apparmor under NixOS. Is it actually practical for it to work? The apparmor package in NixOS just seems to take everything from the Ubuntu apparmor package, which assumes everything is in a FHS heirarchy. Since apparmor is path-based, and doesn't respect symlinks, I don't think the apparmor package for NixOS is actually able to do anything
<andi-> Appamor doesn't actually work for more then one packet AFAIK
andi- has quit [Quit: WeeChat 2.5]
<Henson> ok
Henson has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/]
andi- has joined #nixos-security
infinisil has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
infinisil has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]