This Bump bot could open PRs on GIthub (I know, even more PRs...), it's the best place to be sure a person looks at it.
It might make sense to start writing down our ideas into a Google Doc? N. On Fri, Apr 10, 2015 at 11:36 PM Jonathan Glines <auntie...@gmail.com> wrote: > 2015-04-10 14:20 GMT-06:00 Christian Theune <c...@flyingcircus.io>: > > Hi, > > > >> On 10 Apr 2015, at 22:16, Domen Kožar <do...@dev.si> wrote: > >> > >> > >> That's what I meant - sitting down together (sprints!) and writing > those tools to help us automate security vulns monitoring for Nix. > > > > So the next level on discussion from there would be: what kind of > tooling to people expect and what workflow should they support? > > I think the typical sysadmin attitude towards security is "I don't > have time for this, but I still gotta cover my ass". So it would be > nice to have a "set and forget" type of tool that can be trusted to > automatically (or semi-automatically) pull in out-of-band security > patches, similar to how Ubuntu security updates work. > > > Is there anything in peoples heads already? Is that something that I > just missed by being late to the game and the “work just needs to be done”? > Or are we at the point of “need some design that the community agrees upon”? > > Speaking of things in my head, I have been thinking about something > related to this... > > I think it would be useful to have a "bump bot" for nixpkgs that could > scan meta data and catalog exactly which packages are out of date. The > bot would pull data from multiple sources (package mirrors, other > distros, security feeds) to warn about major version bumps and > security advisories. Maintainers could then use output from the bot to > see at a glance which of their packages are out of date. Maybe even > with a web interface with graphs and charts to compare against other > Linux distros and upstream. Distrowatch already does something similar > for select few important packages. > > That's my practical solution to the opaqueness of manually comparing > package versions in nixpkgs to a security feed that we trust someone > is actually watching. > > Just throwing that out there. If it sounds useful, give me some > tips/encouragement and I might prototype something. > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev