<simpson>
Note that almost nothing works without systemd, so you'll have to put in effort to provide your own init setup. That said, folks have done it before, so it's not impossible.
<BlackMug>
no problem currently whonix familiar anyway with systemd since its based on debian
<BlackMug>
but not sure how much nixos willing to harden their stuff like sandboxing using MAC and/or namespaces..etc
<BlackMug>
its true that the package with only user level privileges has less impact on the system but it still poses security threat without sandbox
<simpson>
Rather than hardening, our dominant security paradigm is based on the principle of least authority. Nix requires packages to explicitly declare which other packages they need as inputs, as if packages were capabilities.
<simpson>
But indeed, folks have checked in various hardening and mitigation patches, just like in other distros.
<BlackMug>
great do you have tickets or so for example is there ticket to force define a MAC like apparmor or SElinux for each package? (similarly to IOS/Android apps)
kalbasit has quit [Ping timeout: 240 seconds]
<BlackMug>
nixos use openssl,gnutls...etc for their package manager? (libressl is the preferred one since its the harden version of openssl)
<qyliss>
Nix makes it easy to override libraries, so you could use whatever you wanted if it was API-compatible
<BlackMug>
i meant nix package manager itself what does it use
<BlackMug>
guix for example using openssl , apt using gnutls ... so on
<qyliss>
It uses OpenSSL
<BlackMug>
ah i see
<BlackMug>
yeah this as well has a hardening way by shifting to libressl which is the hardened version of openssl
<qyliss>
You may also be interested in https://git.causal.agency/libretls/, which is a wrapper for libressl's new libtls implementing the OpenSSL API
<BlackMug>
i see thats nice, but the idea it need to be done from the nix upstream and becomes the default process otherwise its not hardened when it comes to the ssl library
<BlackMug>
whonix looking for futuristic partner focuses and solving the issues dilemma which current distros falling into specially when it comes to security part
<simpson>
BlackMug: What do you think of capability-aware platforms? Do seL4, Genode, Capsicum, or CloudABI seem like interesting directions?
<qyliss>
isn't CloudABI dead?
<BlackMug>
Sel4 is nice and i think the future is with microkernels anyway whether sel4 or redox (minix like) or hurd...etc
<simpson>
Probably. Capsicum on GNU/Linux is dead too, AIUI.
<BlackMug>
but currently none of them is with stable state that a distro can built itself on nicely unless its just for experimental/devs only
<qyliss>
ah you're looking for Whonix Workstation as well as for the gateway?
<BlackMug>
yeah sure or whonix host (under development)
<qyliss>
what's thatL
<qyliss>
*?
<BlackMug>
but current recommended host is Qubes OS
<qyliss>
A VM host?
<BlackMug>
yes VM host
<qyliss>
oh cool
<BlackMug>
So i wish for you guys bright future if nixos interested into hardening itself and built itself with hardened security mind then please dont hesitate communicate with us #whonix in OFTC or telegram or matrix
<BlackMug>
im outreach/support manager pleasure talking to you