Wednesday triage session
No issue triage this time, but we discussed the survey and the 2.30 security incident. See our postmortem in the thread.
Attendees: @edolstra @roberth @Mic92 @xokdvium @Ericson2314 @tomberek
Updates
- In Nixpkgs we are close to removing 2.24-2.27, finally getting rid of autotools
Agenda
- Community Feedback Requested: 2025 Nix Community Survey Planning
- Release 2.30 → security postmortem
-
@edolstra: Could have been caught by tools, classical (coverity) or AI.
- Risks: false positives, warning fatigue
- @roberth: also complacency and backlash(? - anti-AI sentiment)
- e.g. coderabbit, may need some prompting to avoid style suggestions
- Needs some experimentation
- @tomberek: coverity has an open source sponsorship programme
- @Mic92: fuzz testing (perhaps not this particular bug)
- @xokvidium: Someone did fuzz testing before (Discussion: Nix fuzzing · Issue #1937 · NixOS/nix · GitHub)
- @xokvidium: we could use clang libFuzzer, e.g. on the daemon protocol
- @xokvidium: cherry-pick (libstore/globals: do not let users run nix-daemon as root with build users group as root · Gerrit Code Review)
- @roberth: test macOS better
- Disable the sandbox in GHA so we can test our sandbox in the build,
_NIX_TEST_NO_SANDBOX - @Mic92: may not work due to GitHub restrictions
- @roberth: GitHub - MatthewCroughan/NixThePlanet: Run macOS, Windows and more via a single Nix command, or simple nixosModules to run a macOS VM in a build
- @xokvidium: Use the First class cross by roberth · Pull Request #13073 · NixOS/nix · GitHub to instantiate more Nix variations
- Disable the sandbox in GHA so we can test our sandbox in the build,
-
Require 1 team review?
- @edolstra: Doubtful that people notice (Probably not the complete solution). Boolean blindness
- Was written by somebody else, so 4-eyes rule was applied this time
- Let’s enable the branch protection to require 1 review to further enforce? Risks making our process slower, but in practice we already tend to avoid self-merging and we’ll still have the scary red button in case we’d need to bypass.
- Done
-
Disclosure
02:15am UTC I made the call to disclose this as a security issue in Determinate Nix but make no mention of Nix itself.
- Disclosure happened too soon. Should have been coordinated with affected implementations, in this case only DetSys and upstream
- @edolstra now has pager duty in DetSys for events like this
-
@Mic92: Release automation so that any Nix team member can trigger a release
- Currently hydra is in the release process, making this complicated and slow
- Not everyone can bump hydra builds to the front of the queue
- A
nix-smalljobset could complete much faster (skipping some things like cross / VM tests / …) - @Ericson2314: We shouldn’t have to use GHA but have an all-Nix-flavored flow
- @roberth: We have a staging hydra now, why not also a security hydra?
- @tomberek: What if GHA waits for Hydra?
- @roberth: It could then also get a token to bump the release builds
- @tomberek: Also webhooks for the waiting part
Action items:
- @tomberek and @Mic92 will work on a GHA release solution
- coverity: Open an issue (depends on Nixpkgs build issue)
- coderabbit: @tomberek add the GitHub App permission
- @xokvidium will continue to work on testing improvements
- @roberth: will try NixThePlanet for macOS testing (on Apple hardware)
Triage
No issue/PR triage this time.