gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
kleisli__ has quit [Ping timeout: 246 seconds]
ris has joined #nixos-security
_ris has quit [Ping timeout: 264 seconds]
ris has quit [Ping timeout: 246 seconds]
kleisli__ has joined #nixos-security
rajivr has joined #nixos-security
hoverbear has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
ajs124 has quit [Quit: killed]
ajs124 has joined #nixos-security
kleisli_ has joined #nixos-security
kleisli__ has quit [Ping timeout: 240 seconds]
justanotheruser has quit [Ping timeout: 244 seconds]
justanotheruser has joined #nixos-security
FRidh has quit [Remote host closed the connection]
FRidh has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
justanotheruser has joined #nixos-security
ris has joined #nixos-security
FRidh has quit [Ping timeout: 265 seconds]
FRidh has joined #nixos-security
Freneticks has quit [Quit: WeeChat 2.3]
FRidh has quit [Quit: Konversation terminated!]
kleisli_ has quit [Ping timeout: 240 seconds]
kleisli_ has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
kleisli_ has quit [Ping timeout: 260 seconds]
justanotheruser has quit [Ping timeout: 244 seconds]
Raito_Bezarius has joined #nixos-security
<Raito_Bezarius> hi there
<Raito_Bezarius> I had a quick question regarding nixpkgs security model
<Raito_Bezarius> If someone comes and adds a malware package which looks a "real package"
<Raito_Bezarius> what happens?
<Raito_Bezarius> how much nixpkgs is protected against such attacks?
<Raito_Bezarius> let's admit he even tries to do a real package, without any malware in it
<Raito_Bezarius> and then he sends a bump PR
<Raito_Bezarius> where the new hash points to a malware version
<MichaelRaskin> Malware or known-vulnerable?
<Raito_Bezarius> Rather malware
<Raito_Bezarius> Like I do some soft, then I add a SSH stealing key feature
<MichaelRaskin> Switching upstream makes people ask for some justification
<Raito_Bezarius> If it's "a new package" ?
<MichaelRaskin> If you create a new project with some reasonable functionality to later insert malware in the next bump, _that_ indeed won't be caught
<Raito_Bezarius> Is there a real threat in practice?
<Raito_Bezarius> is that *
<MichaelRaskin> Also, Nixpkgs contains so much half-broken niche software that people hopefully quickly lose the idea that existence of a package is an indication … of anything
<Raito_Bezarius> :D
<MichaelRaskin> Maybe it is an indication that it was buildable at least once in the history
<MichaelRaskin> If you want to mount an attack with a chance of actual impact, the process would probably be different
<MichaelRaskin> Step 1. Submit PRs fixing real build failures. Ideally one or two daily, for a month. Also build random PRs, test the result and comment on testing results.
<MichaelRaskin> That gives you quite a bit of reputation even if you do not ask for the commit access yet
<MichaelRaskin> Step 2. Wait until a high-profile package has an upstream vulnerability.
<MichaelRaskin> Step 3. Submit a patch that is a part of the upstream fix, but insufficient in isolation, as a full fix.
<MichaelRaskin> Don't forget about backports, obviously
<Raito_Bezarius> Thanks MichaelRaskin :)
<Raito_Bezarius> Makes sense
<MichaelRaskin> Now I am scared
<gchristensen> MichaelRaskin: not used to being sensible?
<MichaelRaskin> Your response is perfectly consistent with a «hm, a nice plan, should try» reaction
<Raito_Bezarius> :DDDDDD
<Raito_Bezarius> Well, I had a friend who asked me why this was not feasible
<Raito_Bezarius> And he even said "I should definitely try", and I said to him to come here ask for permission first :DDDD
<Raito_Bezarius> But my "makes sense" is more now "I am going to increase my caution level"
<MichaelRaskin> I think even Debian only tries to keep close track of the highest-impact upstreams
justanotheruser has joined #nixos-security
<infinisil> But then again, if it's a niche package you could contaminate without people realizing, it's probably so niche that there's almost no benefit to doing it
<infinisil> Like, Linux is already niche, NixOS even more so, and then add the package nicheness too
<infinisil> Very high effort for very little benefit
<gchristensen> unless you happen to know a specific target who uses a niche tool
<infinisil> (though the nicheness of Linux and NixOS could change over time)
<gchristensen> (I'd argue it is rapidly becoming less niche)
hoverbear has joined #nixos-security
<infinisil> Interesting security notification I just got from thunderbird: https://paste.infinisil.com/f-wYS6E88U.png
kleisli_ has joined #nixos-security
<gchristensen> this is why I don't use my email client to manage PGP
<Raito_Bezarius> mutt works ~okish I suppose
<Raito_Bezarius> but the problem in all of this is PGP
<gchristensen> :)
<infinisil> I'm not sure there's anything better. Keybase perhaps in the future
<gchristensen> depends on your goals
<gchristensen> for my goals, something like age is a better fit I think
kleisli__ has joined #nixos-security
kleisli_ has quit [Ping timeout: 260 seconds]
lejonet has quit [Ping timeout: 256 seconds]
lejonet has joined #nixos-security