[Nix-dev] Announcing: NixOS Security Team, and Request for Comments

Mon Jan 9 08:48:05 CET 2017

Hi,

great to see this initiative, thanks! (I’m personally extremely busy so I missed the forming thread in early December).

At the Flying Circus we’re currently a bit behind (still running on 15.09) but are going to move to a newer version soon.

We’re spending quite a bit of time reviewing the vulnerabilities we see when using Vulnix and add package updates to our fork. I’d love if we could contribute more directly to upstream. However, even after updating, we’ll likely be a bit behind all the time. In our experience we can’t afford a major update every 6 months but at most once a year. So in that case we’ll likely be reviewing and contributing patches that either need porting (either forward/backward).

I guess as a community we are focusing on updates for the most recent release. But I can see more people than just us (the Flying Circus) to be interested in fixes that have a longer scope. I’m not talking about 5 years, but maybe more than 6 months. ;)

Cheers,
Christian

> On 6 Jan 2017, at 03:12, Graham Christensen <graham at grahamc.com> wrote:
> 
> 
> (cross-posted to nix-dev for discussion.)
> 
> Hello Nixians,
> 
> This morning the NixOS Security Team was formalized in a PR to the
> homepage: https://github.com/NixOS/nixos-homepage/pull/123.
> 
> This is now public at https://nixos.org/nixos/security.html.
> 
> This information is currently listed as follows:
> 
> 
>    Graham Christensen graham at grahamc.com
>    GPG Key: 0xFE918C3A98C1030F
>    GPG Fingerprint: BA94 FDF1 1DA4 0521 2864 C121 FE91 8C3A 98C1 030F
> 
>    Franz Pletz fpletz at fnordicwalking.de
>    GPG Key: 0x846FDED7792617B4
>    GPG Fingerprint: 8A39 615D CE78 AF08 2E23 F303 846F DED7 7926 17B4
> 
>    Domen Kožar domen at dev.si
>    GPG Key: 0xC2FFBCAFD2C24246
>    GPG Fingerprint: E96C 15A0 8D17 CE3B 17B0 C7AB C2FF BCAF D2C2 4246
> 
>    Rob Vermaas rob.vermaas at gmail.com
>    GPG Key: 0xE114A5F264A8AE8E
>    GPG Fingerprint: 96BF 75A5 3DEE 1F21 5F0C 979C E114 A5F2 64A8 AE8E
> 
> 
> At this time, none of us have signed each other's keys. There is some
> discussion about this in the pull request (linked above) but basically
> it boils down to this:
> 
> We do each trust the work and intentions of each other, but this
> doesn't necessarily translate in to confirmed identity.
> 
> Signing keys has a lot of meaning around verifying identity. Until
> each of us are able to be in the same room and check identification, we
> can't very well assert each other's identities.
> 
> This is an effort to preserve the intentions of the web of trust... and
> this is where we get to the "request for comments" on how the Nix
> community would like for us to proceed on this front.
> 
> If you have any opinions or feedback, please feel free to reply to the
> nix-dev email list, and _not_ the GitHub issue so as to keep further
> conversation on this list.
> 
> 
> Thank you,
> Graham Christensen
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

--
Christian Theune · ct at flyingcircus.io · +49 345 219401 0
Flying Circus Internet Operations GmbH · http://flyingcircus.io
Forsterstraße 29 · 06112 Halle (Saale) · Deutschland
HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170109/4bf70348/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170109/4bf70348/attachment.sig>