andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security
kalbasit has quit [Ping timeout: 264 seconds]
rajivr has joined #nixos-security
kalbasit has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
kalbasit has quit [Ping timeout: 240 seconds]
kalbasit has joined #nixos-security
tilpner_ has joined #nixos-security
tilpner has quit [Ping timeout: 272 seconds]
tilpner_ is now known as tilpner
kalbasit has quit [Ping timeout: 246 seconds]
kalbasit has joined #nixos-security
stigo has quit [Remote host closed the connection]
stigo has joined #nixos-security
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
stigo has quit [Remote host closed the connection]
blueberrypie has joined #nixos-security
red_ is now known as __red__
stigo has joined #nixos-security
zarel has quit [Ping timeout: 256 seconds]
maljub01 has quit [Quit: maljub01]
maljub01 has joined #nixos-security
zarel has joined #nixos-security
cole-h has quit [Quit: Goodbye]
MichaelRaskin has joined #nixos-security
MichaelRaskin has quit [Ping timeout: 256 seconds]
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
kalbasit has quit [Ping timeout: 260 seconds]
kalbasit has joined #nixos-security
ehmry has quit [Read error: Connection reset by peer]
justanotheruser has quit [Ping timeout: 272 seconds]
ehmry has joined #nixos-security
xavier__ has joined #nixos-security
xavier__ has quit [Client Quit]
MichaelRaskin has joined #nixos-security
justanotheruser has joined #nixos-security
elvishjerricco has quit [Ping timeout: 260 seconds]
globin_ has quit [Quit: o/]
globin has joined #nixos-security
ckauhaus has joined #nixos-security
globin has joined #nixos-security
globin has quit [Changing host]
elvishjerricco has joined #nixos-security
<andi-> anyone working on dovecot patches yet?
<andi-> In any case I've started working on that
<hexa-> cool
<hexa-> thanks
<andi-> #108404 & #108405
<{^_^}> https://github.com/NixOS/nixpkgs/pull/108404 (by andir, 21 seconds ago, open): dovecot: 2.3.11.3 -> 2.3.13
<{^_^}> https://github.com/NixOS/nixpkgs/pull/108405 (by andir, 12 seconds ago, open): [20.09] dovecot: 2.3.11.3 -> 2.3.13
rajivr has quit [Quit: Connection closed for inactivity]
cole-h has joined #nixos-security
<bbigras> Is it recommended trying to use systemd's sandoxing for all our services? or maybe use apparmor?
<andi-> I'd say sanbox services with systemd.
<andi-> Apparmor on nixos is exactly a great story.
<andi-> Not sure if anyone is actually writing those files. Especially since they are not part of the service definition makes them potentially less maintained.
<bbigras> thanks
<bbigras> I found an example of systemd sandboxing in nixpkgs. https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/biboumi.nix there's a lot of lines
<bbigras> but maybe sometimes upstream will provide a "hardened" systemd .service file.
<andi-> I actually believe that upstream units are worse most of the time.
<andi-> There are probably good examples but often they just "work" and that is good enough for upstream.
<andi-> e.g. unbound upstream provides untested .socket files and the .service units are just not really ideomatic on how you would write them..
<bbigras> oh :(
<lukegb> Also sometimes upstream is actively against sandboxing in their service units *cough*
<bbigras> wow
<lukegb> In some cases it's fair: they invoke arbitrary other programs and they don't know what they'll do
<lukegb> So they're reluctant to accidentally break them (e.g. you've written some mail filter that spins up a VM that...)
<andi-> if you start a VM to filter mails you are not sane.
<andi-> like as part of another software.. :D
<andi-> spawn the VM first before touching the mail!
ckauhaus has quit [Quit: WeeChat 2.7.1]
kalbasit has quit [Ping timeout: 240 seconds]