[Nix-dev] Improving security updates

Nathan Bijnens nathan at nathan.gs
Fri Apr 10 23:54:59 CEST 2015 

This Bump bot could open PRs on GIthub (I know, even more PRs...), it's the
best place to be sure a person looks at it.

It might make sense to start writing down our ideas into a Google Doc?

N.

On Fri, Apr 10, 2015 at 11:36 PM Jonathan Glines <auntieneo at gmail.com>
wrote:

> 2015-04-10 14:20 GMT-06:00 Christian Theune <ct at flyingcircus.io>:
> > Hi,
> >
> >> On 10 Apr 2015, at 22:16, Domen Kožar <domen at dev.si> wrote:
> >>
> >>
> >> That's what I meant - sitting down together (sprints!) and writing
> those tools to help us automate security vulns monitoring for Nix.
> >
> > So the next level on discussion from there would be: what kind of
> tooling to people expect and what workflow should they support?
>
> I think the typical sysadmin attitude towards security is "I don't
> have time for this, but I still gotta cover my ass". So it would be
> nice to have a "set and forget" type of tool that can be trusted to
> automatically (or semi-automatically) pull in out-of-band security
> patches, similar to how Ubuntu security updates work.
>
> > Is there anything in peoples heads already? Is that something that I
> just missed by being late to the game and the “work just needs to be done”?
> Or are we at the point of “need some design that the community agrees upon”?
>
> Speaking of things in my head, I have been thinking about something
> related to this...
>
> I think it would be useful to have a "bump bot" for nixpkgs that could
> scan meta data and catalog exactly which packages are out of date. The
> bot would pull data from multiple sources (package mirrors, other
> distros, security feeds) to warn about major version bumps and
> security advisories. Maintainers could then use output from the bot to
> see at a glance which of their packages are out of date. Maybe even
> with a web interface with graphs and charts to compare against other
> Linux distros and upstream. Distrowatch already does something similar
> for select few important packages.
>
> That's my practical solution to the opaqueness of manually comparing
> package versions in nixpkgs to a security feed that we trust someone
> is actually watching.
>
> Just throwing that out there. If it sounds useful, give me some
> tips/encouragement and I might prototype something.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150410/364735a2/attachment.html

More information about the nix-dev mailing list