andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security
tilpner_ has joined #nixos-security
tilpner_ is now known as tilpner
rajivr has joined #nixos-security
ajs124 has quit [Quit: Bridge terminating on SIGTERM]
ajs124 has joined #nixos-security
cole-h has joined #nixos-security
cole-h has quit [Ping timeout: 240 seconds]
sphalerite has joined #nixos-security
cole-h has joined #nixos-security
prusnak has joined #nixos-security
tilpner has quit [Quit: tilpner]
tilpner has joined #nixos-security
blueberrypie has joined #nixos-security
nh2 has quit [Ping timeout: 260 seconds]
eyJhb has quit [Ping timeout: 260 seconds]
eyJhb has joined #nixos-security
eyJhb has joined #nixos-security
nh2 has joined #nixos-security
cole-h has quit [Ping timeout: 240 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
asymmetric has joined #nixos-security
<asymmetric> hi, is it possible to be notified of CVEs affecting packages on nixos?
<supersandro2000> if they are written in the package it won't be build by default
<supersandro2000> in a field in the meta section
<asymmetric> supersandro2000: i'm not sure i understand
<asymmetric> i was thinking of something like https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
<asymmetric> a mailing list, or an rss feed one could subscribe to
<asymmetric> afaik it's not possible to subscribe to github labels
<supersandro2000> asymmetric: not that I know of
<supersandro2000> 406 if you try the common way to get atom feeds
feepo has joined #nixos-security
justanotheruser has quit [Ping timeout: 265 seconds]
aminechikhaoui has joined #nixos-security
justanotheruser has joined #nixos-security
<bennofs> i think it would be good if NIxOS packages could be associated with CPEs. Then you could easily use the CPE query to watch CVEs that are tagged correctly at least
<hexa-> asymmetric: unfortunately we won't have security advisories
<hexa-> s/won't/don't/
<Foxboron> bennofs: That assumes the CVE data contains the data. They often dont'
<hexa-> ^ also this
<bennofs> that's why I said "if it is tagged correctly" :)
<bennofs> but you could at least XRef it with debian packages having the same CPE in that case
<bennofs> i feel like it would be beneficial to have a unique identifier to xref packages between distros, and CPE seems like it would work for that?
<Foxboron> CPE/SWID and other stuff. The OpenSSF vuln WG is looking at it. CPE is however are not really meant for this IIRC
<Foxboron> They identify products. Distros just repackage stuff
<bennofs> Foxboron: what do you mean by identifying products? Are distro packages not packaged products?
<bennofs> i know it won't be perfect but it'd be just a simple piece of metadata that could help for many cases?
<Foxboron> I don't know where you would attach this data?
<bennofs> meta.cpe?
<Foxboron> I'm speaking broadly :p I don't know nixos
<Foxboron> I had no clue Debian collected the data. Hm you could actually utilize that and repology to associate packages between distros
<bennofs> Foxboron: in nixos, package expression have a meta attribute which is used to collect simple key-value things like homepage and license
<bennofs> it'd be easy to add a cpe to it, given that people agree on doing it
<bennofs> I think repology also tries to associate cpes if they can
<Foxboron> Right, I was thinking about using CPEs between distros to identify between distros