#nixos-security on 2019-08-02

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

01:49 justanotheruser has joined #nixos-security

04:19 justanotheruser has quit [Ping timeout: 258 seconds]

04:27 justanotheruser has joined #nixos-security

07:51 justanotheruser has quit [Ping timeout: 245 seconds]

08:49 justanotheruser has joined #nixos-security

09:08 erictapen has joined #nixos-security

09:17 c4rc4s has quit [Remote host closed the connection]

09:18 c4rc4s has joined #nixos-security

09:28 pietranera has joined #nixos-security

10:33 erictapen has quit [Ping timeout: 244 seconds]

11:08 hmpffff has joined #nixos-security

11:27 justan0theruser has joined #nixos-security

11:29 justanotheruser has quit [Ping timeout: 258 seconds]

11:59 erictapen has joined #nixos-security

12:54 hmpffff has quit [Quit: Bye…]

13:28 hmpffff has joined #nixos-security

16:14 <pie_> I wonder if we could pre-distribute encrypted security fixes

16:14 <pie_> *escrowed

16:14 <pie_> ok maybe thats pointless though

16:15 <pie_> if you can distribute the encryption key there isnt really a reason you couldnt distribute the fix

16:18 <gchristensen> no

16:18 <gchristensen> one of the rules is there must be no side-channel information leaking the fact that there even is a vulnerability

16:19 <pie_> fair enough, for the sake of argument though, if its properly encrypted that means yuo dont know anything about the target?

16:20 <gchristensen> the target doesn't matter

16:20 <gchristensen> for example: hydra.nixos.org suddenly losing a lot of capacity to take it over to a different secret hydra would be an inapropriate information leakage

16:22 <xorAxAx> where does that requirement come from?

16:22 <gchristensen> the linux-distros list

16:22 <xorAxAx> ah, and its valid before coordinated release?

16:22 <xorAxAx> s/valid/in effect/

16:22 <gchristensen> right

16:23 <xorAxAx> well, you would need a second hydra instance then - which runs on a separate machine

16:23 <xorAxAx> in debian, the security team is separate from many things

16:23 <gchristensen> exactly

16:35 <pie_> ok so the existence of _any_ vulnerability

16:35 <pie_> that seems needlessly restrictive?

16:36 <gchristensen> of vulns shared on linux-distros, yes

17:06 erictapen has quit [Ping timeout: 268 seconds]

19:17 pietranera has quit [Quit: Leaving.]

22:24 Henson has joined #nixos-security

22:31 <Henson> andi-: are you around?

22:34 <Henson> gchristensen: are you around?

22:34 <aanderse> Henson: whats up?

22:35 <aanderse> security issue?

22:35 <aanderse> :)

22:37 <Henson> Yeah, just confirming that with the openssh pull request I should just make the changes to the master branch and do a pull request on the master branch, and not make a separate topic branch (which is something github's pull request info documents suggest)

22:38 <qyliss> You mean your fork's master branch?

22:38 <qyliss> I'd recommend against it, because you can't use that branch for anything else without affecting your pull request

22:38 <Henson> Yes

22:39 <qyliss> Strongly recommend just creating a different branch.

22:39 <Henson> Ok, so separate topic branch is the way to go, then request merging the topic branch into nixos master?

22:39 <qyliss> Yep.

22:39 <qyliss> Or staging, depending on what's appropriate.

22:39 <Henson> Ok, that makes sense

22:40 <Henson> Well, I've never done this before, so whatever is the most correct way to do this. Should I request a pull into staging?

22:40 <qyliss> Staging is for changes that require lots of rebuilds.

22:40 <qyliss> What are you changing?

22:41 <Henson> Fixing two CVE vulnerabilities in the openssh package.

22:41 <qyliss> Put that to staging

22:41 <Henson> Ok

22:41 <qyliss> Lots of things depend on OpenSSH and would have to be rebuilt.

22:41 <qyliss> So it can't go straight to master.

22:41 <Henson> Brb, need to hop off WiFi and onto mobile

22:41 Henson has quit [Remote host closed the connection]

22:41 <aanderse> you're awesome Henson!

22:42 Henson has joined #nixos-security

22:42 <Henson> Ok, I'm back

22:42 <qyliss> Henson: while you were away you missed:

22:42 <qyliss> <aanderse> you're awesome Henson!

22:43 <aanderse> ^_^

22:43 erictapen has joined #nixos-security

22:44 <qyliss> Henson: the one other thing I was going to suggest if you're new to this is to create your branch from staging, rather than master. Otherwise it's easy to end up sending a PR for all of master to be merged into staging, as well as your changes.

22:46 justan0theruser is now known as justanotheruser

22:49 <Henson> Ok, so create a topic branch from staging and request it be merged into staging.

22:50 erictapen has quit [Ping timeout: 246 seconds]

22:51 <qyliss> Yeah

22:52 erictapen has joined #nixos-security

22:53 <Henson> Ok, thanks for the help!

22:56 <qyliss> Post the PR when it's done and I'll have a look if I'm still awake

22:57 <Henson> I probably won't get around to it until several hours from now, if at all today, so don't wait up :-)

22:59 <Henson> And what exactly do you mean by "post the PR"?

23:00 <qyliss> Like, once you've made a pull request, post its URL in this channel and mention my IRC nick so I'm notified of it.

23:02 erictapen has quit [Ping timeout: 244 seconds]

23:03 <Henson> Ok

23:04 <Henson> It looks like some people use their real names in git commits, and some use aliases. Any best practice recommendations on that one?

23:08 <qyliss> If you're comfortable using your real name, do.

23:08 <qyliss> Although be aware that you can never change your mind, because we can't change the git history.

23:23 <Henson> Oh, also after a huge delay, thanks aanderse :-)

23:51 hmpffff has quit [Quit: nchrrrr…]