Greetings, friends and colleagues. This is a joint letter by me and Jonn Mostovoy, co-founders of Serokell, regarding the state of security in NixOS and a roadmap of fixing it.
Hopefully, all of us are using NixOS in our companies, however most of the times, NixOS machines are deep within the perimeter and aren't facing wild Internet because the reaction time to a newly found vulnerability is very long, especially compared with the lag in other distros such as Arch Linux. Also, proper update process can be tediously slow. When we faced a problem of making systems that are designed to run 24/7 in extremely hostile networks, we have decided to take Arch and, well, re-implement some ideas from Nix, because it was cheaper and safer business-wise. Of course, we really want to throw away our pathetic reinvented wheel and just use NixOS. But for that, three major things have to be done: 1. We have to switch to the model of package updates, implemented by Nicolas and widely announced on NixCon; 2. Fund a team of itsec professionals who will perform maintenance of nixpkgs; 3. Make sure that grsecurity patchsets and other kernel hardening flavors (which – ?) are shown to work and integrated into system configuration. Or make it easy to apply these patchesets if someone needs them. Regarding (1), it's a question of community / individual effort, to which we would gladly contribute. Regarding (2) — we think that businesses that use NixOS should pool up some resources, make a tender and deal with the itsec group who will win thia tender. Again, we are ready to lead the charge here. It is worth noting, that NixOS community already has a CVE scraper that, if I recall correctly, maps CVEs to packages. (3), of course, is also the question of individual / community effort, what's more, undoubtedly most of people who run systems that ought to match certain security parameters have already made expressions for custom kernels, we just need to generalize most common usecases and put those in configuration set. If we manage to reach aforementioned goals, from the least secure popular distro, NixOS will become the most secure one, which would be a huge win both for every single member of Nix community and for marketing. -- Kindest regards, Arseniy and Jonn
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
