nix-security-tracker icon indicating copy to clipboard operation
nix-security-tracker copied to clipboard

Published 20 hours ago verified publisher icon Nix-Security-WG

[Tracking issue] "End user" story

Open RaitoBezarius opened this issue 1 year ago • 9 comments

(personal notes ; will be expanded upon later.) In the event, someone will write a daemon or a tool to scan (continuously) NixOS closures for security vulnerability, it would be interesting to coordinate via the security tracker itself to offer a way to tap inside its database.

It is critical for this to enrich the security tracker data to know about things like this security issue is related to this set of packages and this set of package is related to those .drv or store paths and make the metadata clear about it.

So a tool could hypothetically send a compressed set of store paths composing the system and have a response about what are the potential vulnerabilities affecting such a system.

A lot has to be figured out on:

  • what is the set of information a client should send to know about vulnerabilities?
  • how to ensure privacy?
  • how to avoid denial of service for very large systems and ensure fairness?
  • user agents coordination / tokens, etc. ?

Obviously, things like "you overrode your package" so the store path cannot be recognized because you are compiling it yourself are not-avoidable and out of scope for this project.

RaitoBezarius avatar Nov 06 '23 00:11 RaitoBezarius