andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
justanotheruser has quit [Ping timeout: 240 seconds]
star_cloud has quit [Ping timeout: 264 seconds]
star_cloud has joined #nixos-security
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security
justanotheruser has joined #nixos-security
rajivr has joined #nixos-security
nh2 has quit [Read error: Connection reset by peer]
elvishjerricco has quit [Ping timeout: 264 seconds]
nh2 has joined #nixos-security
elvishjerricco has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
star_cloud has quit [Ping timeout: 240 seconds]
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nixos-security
BlackMug has joined #nixos-security
<BlackMug> Hi there
<BlackMug> how much possible that nixos has these security criteria: https://www.whonix.org/wiki/Dev/Operating_System#Criteria_for_Choosing_a_Base_Distribution
star_cloud has joined #nixos-security
<simpson> Sure.
<simpson> Note that almost nothing works without systemd, so you'll have to put in effort to provide your own init setup. That said, folks have done it before, so it's not impossible.
<BlackMug> no problem currently whonix familiar anyway with systemd since its based on debian
<BlackMug> but not sure how much nixos willing to harden their stuff like sandboxing using MAC and/or namespaces..etc
<BlackMug> its true that the package with only user level privileges has less impact on the system but it still poses security threat without sandbox
<simpson> Rather than hardening, our dominant security paradigm is based on the principle of least authority. Nix requires packages to explicitly declare which other packages they need as inputs, as if packages were capabilities.
<simpson> But indeed, folks have checked in various hardening and mitigation patches, just like in other distros.
<BlackMug> great do you have tickets or so for example is there ticket to force define a MAC like apparmor or SElinux for each package? (similarly to IOS/Android apps)
kalbasit has quit [Ping timeout: 240 seconds]
<BlackMug> nixos use openssl,gnutls...etc for their package manager? (libressl is the preferred one since its the harden version of openssl)
<qyliss> Nix makes it easy to override libraries, so you could use whatever you wanted if it was API-compatible
<BlackMug> i meant nix package manager itself what does it use
<BlackMug> guix for example using openssl , apt using gnutls ... so on
<qyliss> It uses OpenSSL
<BlackMug> ah i see
<BlackMug> yeah this as well has a hardening way by shifting to libressl which is the hardened version of openssl
<qyliss> You may also be interested in https://git.causal.agency/libretls/, which is a wrapper for libressl's new libtls implementing the OpenSSL API
<BlackMug> i see thats nice, but the idea it need to be done from the nix upstream and becomes the default process otherwise its not hardened when it comes to the ssl library
<BlackMug> whonix do other crazy security stuff if you are interested e.g: https://github.com/Whonix/apparmor-profile-everything
<BlackMug> ...etc
<BlackMug> whonix looking for futuristic partner focuses and solving the issues dilemma which current distros falling into specially when it comes to security part
<simpson> BlackMug: What do you think of capability-aware platforms? Do seL4, Genode, Capsicum, or CloudABI seem like interesting directions?
<qyliss> isn't CloudABI dead?
<BlackMug> Sel4 is nice and i think the future is with microkernels anyway whether sel4 or redox (minix like) or hurd...etc
<simpson> Probably. Capsicum on GNU/Linux is dead too, AIUI.
<BlackMug> but currently none of them is with stable state that a distro can built itself on nicely unless its just for experimental/devs only
<qyliss> ah you're looking for Whonix Workstation as well as for the gateway?
<BlackMug> yeah sure or whonix host (under development)
<qyliss> what's thatL
<qyliss> *?
<BlackMug> but current recommended host is Qubes OS
<qyliss> A VM host?
<BlackMug> yes VM host
<qyliss> oh cool
<BlackMug> So i wish for you guys bright future if nixos interested into hardening itself and built itself with hardened security mind then please dont hesitate communicate with us #whonix in OFTC or telegram or matrix
<BlackMug> im outreach/support manager pleasure talking to you
<simpson> BlackMug: Sure. If you want further reading, I really like http://habitatchronicles.com/2017/05/what-are-capabilities/ as a strong introductory article to capability-oriented security.
<BlackMug> simpson sure, thanks for the link :)
BlackMug has left #nixos-security [#nixos-security]
cole-h has quit [Ping timeout: 240 seconds]
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-security
star_cloud has quit [Remote host closed the connection]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nixos-security
justanotheruser has quit [Ping timeout: 264 seconds]
cole-h has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
justanotheruser has joined #nixos-security
tilpner_ has joined #nixos-security
tilpner has quit [Ping timeout: 260 seconds]
tilpner_ is now known as tilpner
tilpner has quit [Ping timeout: 240 seconds]
tilpner has joined #nixos-security
tnias has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
kalbasit has joined #nixos-security
star_cloud has quit [Remote host closed the connection]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
kalbasit has quit [Ping timeout: 256 seconds]
<WilliButz> already on it :)
<WilliButz> ty though
<hexa-> awesome
<{^_^}> #107762 (by WilliButz, 37 seconds ago, open): hedgedoc: 1.7.0 -> 1.7.1 (fixes CVE-2020-26286 and CVE-2020-26287)
cole-h has quit [Quit: Goodbye]
justanotheruser has quit [Ping timeout: 260 seconds]
{^_^} has quit [Ping timeout: 260 seconds]
cole-h has joined #nixos-security
{^_^} has joined #nixos-security
cole-h has quit [Client Quit]
tokudan has quit [Remote host closed the connection]
tokudan has joined #nixos-security
cole-h has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
justanotheruser has joined #nixos-security
justanotheruser has quit [Excess Flood]
justanotheruser has joined #nixos-security
cole-h has quit [Quit: Goodbye]