2024-05-04 Meeting notes
Start: 17:00 (UTC+1)
Attendees:
- minion (Skyler Grey)
- jakehamilton (Jake Hamilton)
- nat-418
- dfh (Olly)
- c8h4 (Christoph Heiss)
Agenda
- Introduction round
- Vision
- [nat] GUIX has a better security story
- [dfh] Gentoo has security much more available, directly integrated into the standard utils that manage the system
- How can we know what CVEs apply to us?
- [jakehamilton] GitHub - nix-community/vulnix: Vulnerability (CVE) scanner for Nix/NixOS. provides some way to check for CVEs in our store
- [nat] what about having an âaux auditâ command
- [dfh] Can we check for vulnerable packages in our CI?
- [dfh] Iâm inspired by the Debian and Gentoo teams, I think they do a really great job at security. I would like to build something with similar quality
- [nat] Aux should have a âblessedâ way
- Flakes/non-flakes is a split, and I canât help across the divide
- Aux should have like âaux secrets managerâ [rather than sops-nix, age-nix, etc.]
- [dfh] The term âblueprintsâ comes to mind ⌠I want to bounce that a little towards the documentation team
- I like the idea of security templates
- It seems somewhat like the âmodule contractsâ idea descriped at NixCon NA
- [jakehamilton] That reminds me of how some k8s APIs are set up, for example you can have an âingress providerâ but it can be handled by different providers and it works the same
- This would let us be a lot more nimble, as things tend to get tied in to a specific implementations
- [minion] Iâve faced this with caddy/nginx in nixpkgs before
- This would let us be a lot more nimble, as things tend to get tied in to a specific implementations
- [jakehamilton] That reminds me of how some k8s APIs are set up, for example you can have an âingress providerâ but it can be handled by different providers and it works the same
- How is best to start?
- [dfh] Jake Hamilton, how is it best to start off a security SIG?
- [jakehamilton] I wonder if this should be a committee instead, as itâs more of an orgwide thing. Most of the SIG/Committee divide comes from k8s
- A committee is handling more meta-tasks, not actual projects. Security committee could take care of the ongoing security tasks and form/ call on SIGs for (groups of?) projects (such as a âSecrets Management SIGâ or âSELinux SIGâ or âSecure Boot SIGâ)
- The committee would/ could set (technical) standards
- [jakehamilton] One thing thatâs come up a lot is âHow do we drive thingsâ
- In the nix world, everything is third-party
- Theyâre far more important than that, we need them to be 3rd-party, integrated and cohesive!
- e.g. secrets management should be just a part of the project
- [dfh] âBecoming coordinated with a security approachâ is hard, and normally starts with a lot of thinking⌠you donât necessarily want to maximize security. Maybe we should start by writing out a security story and getting people, SIGs, etc. on the same page
- [dfh] How do we get a committe started
- [jakehamilton]
- Just do, messy (good enough) is OK for now.
- Committees/ SIGs/ working group established with a charter and a formal process [k8s-community]
- [jakehamilton]
Decisions
- SIGSEC will become a committee
- Overseeing the âsecurity storyâ for Aux
- Easier to spin off specialized SIGs
- TODOS
- Rename forum categories
- Rename github teams
- (skyler+dfh) Writing a âsecurity storyâ partly fictional, partly technical
- Community structure similar to kubernetes structure [k8s-community]
- (dfh) Add a when2meet link up for the next conversation
Reflections
- [jakehamilton] This idea feels
- [dfh] This call felt really nice
lot of good idea
