Pierre BourdonSep 26, 2024

Remember when some people in the #nixos community were raising the alarm on corporate interests taking over the Nix project?

Today Nix apparently published a new security release, and at this point several hours after the release the only place where you can find information about it is on Determinate Systems' social media channels: https://x.com/DeterminateSys/status/1839145876486242659

Determinate Systems (@DeterminateSys) on X

Nix 2.24.8 is currently phasing in through all Determinate distribution channels. This release improves the security of Nix's builtin:fetchurl builder by validating TLS certificates against the system's certificate store. Note: builtin:fetchurl is not builtins.fetchUrl...

X (formerly Twitter)
Show threadAlexander Sosedkin 
@delroth
https://github.com/NixOS/nix/commit/618a0cc9875628171663c9bc3829ed3755a458ed is one click away from https://github.com/NixOS/nix/releases/tag/2.24.8, which is one click away from https://github.com/NixOS/nix

What else did you want to happen between 4 AM and 8 AM CET? An episode of #FullTimeNix with @jgalowicz? Calm down the FUD.
Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-1… · NixOS/nix@618a0cc

…1585 builtin:fetchurl: Enable TLS verification (backport #11585)

GitHub
Sep 26, 2024 at 5:59amWeb
Show threadPierre BourdonSep 26, 2024
@monk that's a lot of coping to justify people not doing basic release work
Show threadAlexander Sosedkin Sep 26, 2024
@delroth I'll repeat my question. What other avenues of announcing this release were omitted?
Show threadpiegamesSep 26, 2024
@monk @delroth https://discourse.nixos.org/c/announcements/security/56
Security

This category is here for tracking security advisories. Subscribe to it, if you want to stay in the loop about actionable announcements to keep your systems safe.

NixOS Discourse
Show threadAlexander Sosedkin Sep 26, 2024
@piegames @delroth and whose responsibility it is to post there?
Show threadpiegamesSep 26, 2024
@monk @delroth not mine for sure 🤷
Show threadAlexander Sosedkin Sep 26, 2024
@piegames @delroth OK, so

1. late in the night, a fix was backported
2. two hours later, Eelco tagged a release
3. Detsys (they're US, aren't they?) tweeted about it
4. the original poster wakes up, only finds a Detsys tweet, finds the media coverage inadequate and blames... the only party that covered the release in a way that reached them
5. people wonder, why others find the NixOS polarization ridiculous and artificially sustained

I can't even. If you don't like the release announcement process, fix it. Don't just blame a random group of people you happen to dislike for not doing the thing you wanted done. This is not USpol, there is no inherent sports team rivalry. The game is co-op.
Show threadcafkafkSep 26, 2024

@monk @piegames @delroth

If you don’t like the release announcement process, fix it.

I don’t like it and I wanna fix it. How do I do that? I’m literally not aware of any avenue of improving that aren’t rising in governance ranks.

Show threadcafkafkSep 26, 2024

@monk @delroth @piegames the reason people complain here is because that’s the only place someone will even listen, if leadership wasn’t deaf maybe sure, doing more than complaining would be feasible for most people.

LIke there is genuinely critical infrastructure running on Nix this is so obviously unacceptable.

Show threadAlexander Sosedkin Sep 26, 2024
@cafkafk @piegames @delroth oh, absolutely cut the "ranks" stuff until you submit a change and it gets rejected. Ant if there never was a formalized process, assume that the process is monitoring github tags.
Show threadcafkafkSep 26, 2024
@monk @piegames @delroth right so where do I submit that process change? I just open a PR against nixccp and that’s how it works? Seriously?
Show threadcafkafkSep 26, 2024
@monk @delroth @piegames should I open an rfc?
Show threadcafkafkSep 26, 2024
@delroth @monk @piegames if the process is monitoring github tags then that’s not a process, idk when detsys decided that Nix should be a hobbyist distro but we’re actually real people using this and this is just like, not excusable
Show threadcafkafkSep 26, 2024
@delroth @monk @piegames there was a talk once way back where grahamc said something like “we should really get a handle on security, because I don’t wanna go back to ansible” and honestly that spirit has totally been lost, it’s a fucking shame
Show threadcafkafkSep 26, 2024
@delroth @monk @piegames no matter how hard uncritical fans cope online NIS2 is coming Europe wide and I wanna keep working with Nix, and I could keep working with Nix with like, the same basic amount of effort as other projects put into this, if the bar is lower than that then it’s game over
Show threadAlexander Sosedkin Sep 26, 2024
@cafkafk @piegames @delroth yes, just file the PR, no need to grind any imaginary ranks. The file is maintainers/release-process.md, if you were being sarcastic.
Show threadMorten LinderudSep 26, 2024

@monk @piegames @delroth

It would just be better if the project did proper releases, changelogs and advisories.

It's not that hard when you get paid to do it.

Show threadAlexander Sosedkin Sep 26, 2024
@Foxboron @piegames @delroth if that means you get paid for working on Nix, I'm genuinely happy for you. If that means you paid them for making timely changelogs and a tag is all you got, then yes, demand a refund by all means necessary.
Show threadpiegamesSep 26, 2024
@monk @Foxboron @delroth I don't really understand that "getting paid" argument. Like, I have a better release process and changelogs for my own software even where I'm the only user. Like, that's not hard, that's just basic due diligence! And Nix even already has some very sophisticated release notes tooling, why not fucking use it?
Show threadChristoph HeissSep 26, 2024
@monk @piegames @delroth Serious question: What exactly do you gain from defending a company, which actively seeks to harm to the Nix community, so damn hard? Ended up on their payroll somehow?
Show threadAlexander Sosedkin Sep 26, 2024
@c8h4 @piegames @delroth I have zero relationship with them, financial or otherwise. Ant I'm not defending one side, I'm shaming the harmful community polarizers that are phenomenally blind to what actually happens in reality if it gives them an excuse to blame the ride they don't like, even if it makes negative sense like in this example.

Like you. Go stand in a corner in shame.
Show threadMorten LinderudSep 26, 2024

@monk @delroth

https://github.com/NixOS/nix/security

and the oss-security list.

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub
Show threadAlexander Sosedkin Sep 26, 2024
@Foxboron @delroth the first link looks like a tool for reporting in private.
Show threadMorten LinderudSep 26, 2024

@monk @delroth

No, it's for announcing security issues to the public. It gets aggregated and picked up by downstreams.

Show threadMorten LinderudSep 26, 2024

@monk @delroth

You can ofc *also* use it for coordinating security issues and disclosures, but that is the secondary function.

Show threadsamir, an unknown quantitySep 26, 2024

@monk @delroth @jgalowicz So I’m just supposed to know that the latest commit in the release is worth reading?

This is almost never true. Usually, a release commit bumps a version number or something.

How far back should I go?

How should I determine what’s changed since the last release?

We have a well-established tool for this: release notes.

Show threadAlexander Sosedkin Sep 26, 2024
@samir @delroth @jgalowicz the commit does update release notes
Show threadsamir, an unknown quantitySep 26, 2024

@monk @delroth @jgalowicz Indeed, but I cannot verify whether it’s the only commit in the release that does so, at least not without much more work.

Release notes are useful… if you publish them.