Pierre BourdonSep 26, 2024

Remember when some people in the #nixos community were raising the alarm on corporate interests taking over the Nix project?

Today Nix apparently published a new security release, and at this point several hours after the release the only place where you can find information about it is on Determinate Systems' social media channels: https://x.com/DeterminateSys/status/1839145876486242659

Determinate Systems (@DeterminateSys) on X

Nix 2.24.8 is currently phasing in through all Determinate distribution channels. This release improves the security of Nix's builtin:fetchurl builder by validating TLS certificates against the system's certificate store. Note: builtin:fetchurl is not builtins.fetchUrl...

X (formerly Twitter)
Show threadAlexander Sosedkin Sep 26, 2024
@delroth
https://github.com/NixOS/nix/commit/618a0cc9875628171663c9bc3829ed3755a458ed is one click away from https://github.com/NixOS/nix/releases/tag/2.24.8, which is one click away from https://github.com/NixOS/nix

What else did you want to happen between 4 AM and 8 AM CET? An episode of #FullTimeNix with @jgalowicz? Calm down the FUD.
Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-1… · NixOS/nix@618a0cc

…1585 builtin:fetchurl: Enable TLS verification (backport #11585)

GitHub
Show threadPierre BourdonSep 26, 2024
@monk that's a lot of coping to justify people not doing basic release work
Show threadAlexander Sosedkin Sep 26, 2024
@delroth I'll repeat my question. What other avenues of announcing this release were omitted?
Show threadpiegamesSep 26, 2024
@monk @delroth https://discourse.nixos.org/c/announcements/security/56
Security

This category is here for tracking security advisories. Subscribe to it, if you want to stay in the loop about actionable announcements to keep your systems safe.

NixOS Discourse
Show threadAlexander Sosedkin Sep 26, 2024
@piegames @delroth and whose responsibility it is to post there?
Show threadpiegamesSep 26, 2024
@monk @delroth not mine for sure 🤷
Show threadAlexander Sosedkin Sep 26, 2024
@piegames @delroth OK, so

1. late in the night, a fix was backported
2. two hours later, Eelco tagged a release
3. Detsys (they're US, aren't they?) tweeted about it
4. the original poster wakes up, only finds a Detsys tweet, finds the media coverage inadequate and blames... the only party that covered the release in a way that reached them
5. people wonder, why others find the NixOS polarization ridiculous and artificially sustained

I can't even. If you don't like the release announcement process, fix it. Don't just blame a random group of people you happen to dislike for not doing the thing you wanted done. This is not USpol, there is no inherent sports team rivalry. The game is co-op.
Show threadMorten Linderud

@monk @piegames @delroth

It would just be better if the project did proper releases, changelogs and advisories.

It's not that hard when you get paid to do it.

Sep 26, 2024 at 8:22amWeb
Show threadAlexander Sosedkin Sep 26, 2024
@Foxboron @piegames @delroth if that means you get paid for working on Nix, I'm genuinely happy for you. If that means you paid them for making timely changelogs and a tag is all you got, then yes, demand a refund by all means necessary.
Show threadpiegamesSep 26, 2024
@monk @Foxboron @delroth I don't really understand that "getting paid" argument. Like, I have a better release process and changelogs for my own software even where I'm the only user. Like, that's not hard, that's just basic due diligence! And Nix even already has some very sophisticated release notes tooling, why not fucking use it?