[Nix-dev] Announcing: Security Tooling, nix-security-announce Mailing List

Graham Christensen graham at grahamc.com
Thu Nov 24 20:13:36 CET 2016 

Hello Nix People,

With the help of Rob and Domen, NixOS has taken two big steps in our
security infrastructure. This is especially apt after completing the
first 10 weekly security roundups. We have now examined over a thousand
vulnerability alerts from LWN, and patched almost 200 packages.

Mailing List:
=============

Firstly, we now have a public mailing list, with a public archive to
distribute security announcements. This list can be found here:

https://groups.google.com/forum/#!forum/nix-security-announce

This list is exclusively for security announcements, and discussion
around security announcements related to Nix, NixOS, NixPkgs and NixOps.

Please subscribe for future security updates, and if you know anyone
interested in these updates please let them know it exists, too. This
list replaces the stop-gap solution of posting to
https://github.com/NixOS/nixpkgs/issues/13515.

We are still getting organized around this effort, but we plan to sign
official updates with GPG to verify authenticity. Eventually we will
publish a list of GPG keys to trust on the public website. For now, you
can feel free to trust my key. (See later in this email)

Tooling:
========

Secondly, the tooling I've used to generate our roundups has been
open sourced. You can find that code on GitHub:
https://github.com/NixOS/security

I tried to write enough documentation on how it works and how to use it
in the management of issues.

This tooling is young, but has saved me countless hours of work over the
last 10 roundups. I look forward to expanding and improving the tooling
over time.

What is Next?
=============

While I don't have a roadmap formally defined, here are some thoughts.

1. Creating tooling for users to know what CVEs they are impacted by
2. Improving the roundup generation to include CVE severity, impact,
etc. in order to prioritize the worst issues first.
3. Progress towards being eligable to join the oss-security "distros"
list (https://github.com/NixOS/nixpkgs/issues/14819)

GPG:
====

Fingerprint: FE918C3A98C1030F

You can find the key here:
https://pgp.mit.edu/pks/lookup?op=get&search=0xFE918C3A98C1030F

You can see I also reference it in my Twitter biography:
https://twitter.com/grhmc/

You can compare the key to how I've signed many commits in nixpkgs:
https://github.com/NixOS/nixpkgs/pull/20668/commits Note, though, that I
sign my commits with a different subkey:

    pub   rsa4096/0xFE918C3A98C1030F 2014-01-04 [SC] [expires: 2018-01-04]
    uid                   [ unknown] Graham Christensen <graham at grahamc.com>
    uid                   [ unknown] Graham Christensen (Contractor) <graham at clarify.io>
    uid                   [ unknown] Graham Christensen <graham at tumblr.com>
    sub   rsa4096/0x8ED3C0087C86E062 2014-01-04 [E] [expires: 2018-01-04]
    sub   rsa4096/0xACA1C1D120C83D5C 2016-10-21 [S] [expires: 2018-10-21]

You can also find me on keybase.io: https://keybase.io/graham

Final Notes:
============

Huge thank-you to Domen for moving my security repository to the NixOS
organization, Rob for creating the mailing list, and all of the
contributors to our first 10 security roundups.

Thank you,
Graham Christensen

P.S. Happy thanksgiving, U.S.A.!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161124/0ca78280/attachment-0001.sig>

More information about the nix-dev mailing list