[Nix-dev] Improving security updates

[Jonathan Glines]

2015-04-10 14:20 GMT-06:00 Christian Theune <ct at flyingcircus.io>:
> Hi,
>
>> On 10 Apr 2015, at 22:16, Domen Kožar <domen at dev.si> wrote:
>>
>>
>> That's what I meant - sitting down together (sprints!) and writing those tools to help us automate security vulns monitoring for Nix.
>
> So the next level on discussion from there would be: what kind of tooling to people expect and what workflow should they support?

I think the typical sysadmin attitude towards security is "I don't
have time for this, but I still gotta cover my ass". So it would be
nice to have a "set and forget" type of tool that can be trusted to
automatically (or semi-automatically) pull in out-of-band security
patches, similar to how Ubuntu security updates work.

> Is there anything in peoples heads already? Is that something that I just missed by being late to the game and the “work just needs to be done”? Or are we at the point of “need some design that the community agrees upon”?

Speaking of things in my head, I have been thinking about something
related to this...

I think it would be useful to have a "bump bot" for nixpkgs that could
scan meta data and catalog exactly which packages are out of date. The
bot would pull data from multiple sources (package mirrors, other
distros, security feeds) to warn about major version bumps and
security advisories. Maintainers could then use output from the bot to
see at a glance which of their packages are out of date. Maybe even
with a web interface with graphs and charts to compare against other
Linux distros and upstream. Distrowatch already does something similar
for select few important packages.

That's my practical solution to the opaqueness of manually comparing
package versions in nixpkgs to a security feed that we trust someone
is actually watching.

Just throwing that out there. If it sounds useful, give me some
tips/encouragement and I might prototype something.