NAR unpacking vulnerability -- post mortem

I think we need less finger-pointing - in this thread, and in the wider Nix communities in general, tbh.

While the behavior of the reporter may not have been ideal, we cannot control how reporters behave. We can try to influence it, though. The best way to influence it, IMHO, is not to dissect and point out everything they did Wrong™ on a thread they’re not even active in*, or publicly shame them for ‘uncoordinated’ behavior (esp. when it seems there is room for improvement all around). Instead we should see what led to that behavior and see if ‘we’ could have done anything differently to increase the chance of a better outcome. In this case, making sure their concerns are heard and taken seriously, also following up on that earlier GHSA-wf4c-57rh-9pjg report?

(possibly that is already happening, I have no insight in internal communication on either the reporters’ or the Nix teams’ side, this is just based on the information in the linked threads)

*(I appreciate @jade chiming in here, but many posts seem to be commenting on @puckipedia)

11 Likes

We talked a lot to @puckipedia about this in one of our meetings, and what was equally frustrating was Puck’s seeming inability to consider that this was possibly a xkcd: Workflow situation. I insist that empathy around “is it a bug or feature?” ambiguous cases should be extended in both directions.

2 Likes

I apologise, I realise that the Lix teams have users best interests in mind and there was no malicious intent. It’s good to see (from the Fediverse (?) thread) that the two teams are willing to extend co-operation to avoid this happening again.

2 Likes

There’s a difference between “language that is deprecated by industry” and “language used to more clearly differentiate a package manager and a language that otherwise have the same name”

3 Likes

The communication issues in the post-mortem seem identified, and let’s set aside the rabbithole of politics for a moment (regardless of how much it informs threat modeling).

My questions:

  • What plan, if any, exists for doing another pass through the reported vulnerabilities and making sure nothing slipped through the cracks?
  • What’s the new policy, if any, around suggested timelines for disclosure?
  • What’s the new policy, if any, around communication channels? What are the backups, if any, for those channels?
  • What’s the plan, if any, for coordinating (including public visibility of status if not details) work on vulnerabilities?

Sorry for the Q&A format, but I find it can help with distillation.

1 Like

Let’s keep this civil and refrain from making ad-hominem attacks please.

Hidden a sub-thread unrelated to the vuln, feel free to open a new topic to talk about that.

7 Likes

I’m not here to point fingers. I can see a lot of places where the ball was dropped and communication broke down between many volunteers (btw thanks volunteers). I want to know, for the next disclosure, do we have processes in place that people can follow so we don’t repeat this again? Do we have something like this? → Vulnerability Disclosure - OWASP Cheat Sheet Series

What I could find is starting from the nixos/nix repo in CONTRIBUTING.md, it points to this policy page, which points back to the security team page on the nixos hompage. And that’s all I could find. Is there anything written somewhere about: what should go into a report, what we ask of reporters, how to keep communication open and ongoing, etc? Can we lift any literature from the OWASP cheatsheet? It seems like a good basepoint.

8 Likes

I’d like to understand this as well, as I asked about it on mastodon too, but it wasn’t answered there either.

4 Likes

We’re currently revisiting the two pending reports. I regularly prod those knowledgeable with the technicalities so we don’t lose track.

As of the current state of the update to the procedure, we mainly want to make sure it’s communicated clearly at all. Our availability varies widely, and making predictions of any sort in a volunteer setting doesn’t make much sense.

Unsolicited opinion on volunteering

Where someone gets paid, people from different orgs can’t tell each other what to do, so the result is roughly the same. A volunteer running out of steam trying to convince professionals about something they’re not economically incentivised to do may as well treat the professional like another volunteer. A professional who is not paid to convince a professional from a different org of something may also treat them as a volunteer.

Details by Rich Hickey: Open Source is Not About You. Basic human decency still applies of course.

Also in the procedure update PR: Essentially open a common Matrix room instantly. @Mic92 from the infra team volunteered to help with adding a nixos.org email forwarder to the maintainer team as a fallback. But that got stuck at some limitation by the provider – what’s the status there?

We haven’t figured that one out yet, but I think merely being more thorough when communicating with reporters and contributors will do it for now.

Not yet, but I intend to work on that once I get to it. No promises on the timeline though (cf. volunteering).

Regarding Matrix: Yeah, Matrix is not great, but it’s complicated and the issues with Matrix don’t seem central to me here. I don’t know whether the final message by Tom before the disclosure arrived in time or at all, so I can’t tell if that part of the communication breakdown was for technical reasons.

5 Likes

Thank you for the replies!

Not to bikeshed, but one thing:

Essentially open a common Matrix room instantly.

Is there any other solution (mailing list, or something?) than Matrix? If not, why not? Is there something we uniquely like Matrix for?

1 Like

Can’t speak for others, but for better or worse almost all of my Nix-related communication goes through Matrix, so due to network effects it’s convenient enough to suffer the downsides. Being able to instantly talk to almost anyone in the ecosystem is very valuable. So much that using email feels like a downgrade. That said, I had never wanted to use Matrix and still don’t particularly like the experience.

4 Likes

At risk of getting off-topic: the name of the language and the name of the implementation are different things, surely? I don’t think anyone’s proposing forking the language definition or referring to it as anything other than Nix. But regardless of what anyone feels about Lix or any related ‘drama’, tvix has been in the works for ages, so naming things a bit more precisely seems like a reasonable thing to do.

In the event the actual language implemented by alternative runtimes starts to seriously diverge, that would be a reasonable point to get concerned about naming. We’re not there yet though and hopefully won’t ever be.

2 Likes

This actually seems kind of off topic. When people focused on the postmortem stuff (which is currently happening again) everything was slightly more civil. It may be a valid point, but probably not worth interrupting for another one of these prolonged discussions. :slightly_smiling_face:

4 Likes

I’d still like to understand what happened with the last message from @tomberek to @puckipedia on the day the disclosure happened.

Should we not rely on matrix for critical communications? Was the message just missed?

7 Likes

I guess we’re not getting an answer to this.

I don’t know what happened to the message, and it’s impossible to reconstruct with what I have.

We already have redundant communication channels: Matrix and GitHub Security Advisories. Soon we’ll also have an email forwarder for the whole team. I think that’s alright for now, and there was no discussion to make further changes.

2 Likes