<maljub01>
Hi there, I just had Nix warn me because it was about to install a package with a known vulnerability. I didn't know about this feature. It's pretty awesome! :)
<maljub01>
However, I'm wondering if the escape hatch is appropriate
<maljub01>
Ideally, a user should permit specific CVEs rather than specific vulnerable packages
<maljub01>
Because otherwise, one might think a particular insecure package is ok because it doesn't affect their use-case, but by whitelisting the package as a whole, they'll also be signing up for silently accepting any and all future vulnerabilities.
<maljub01>
So, my question is, would there be any interest in introducing an option for that? Basically `nixpkgs.config.permittedCVEs` or `nixpkgs.config.allowedVulnerabilities`
kalbasit_ has joined #nixos-security
kalbasit has quit [Ping timeout: 256 seconds]
red[evilred] has joined #nixos-security
<red[evilred]>
I think we have that mechanism kinda already - I'm stull trtying to understand it
<red[evilred]>
but it's in the specific nixpkg
<red[evilred]>
anyone?
<tilpner>
maljub01: You can probably match on specific package versions with allowInsecurePredicate
<tilpner>
(That should also allow you to prototype the CVE matching without any changes to nixpkgs)
cole-h has quit [Ping timeout: 240 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
<red[evilred]>
I thought we had a meta-field that could list CVEs
<red[evilred]>
and blocked a package from being built unless the user accepted the CVEs in their config.nix
<red[evilred]>
if not - RFC time? ;-)
KREYREEN has quit [Remote host closed the connection]
KREYREEN has joined #nixos-security
ris has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
KREYREEN has quit [Remote host closed the connection]
KREYREEN has joined #nixos-security
FRidh has quit [Read error: Connection reset by peer]