Today I’m glad to announce that the Nix ecosystem supply chain security project will be supported by the Sovereign Tech Fund with an investment of 226 000 Euro!
The focus of this project is on reducing our reliance on foreign binaries to compile Nixpkgs from scratch, ensuring we are are indeed running the code we compiled by leveraging existing security components in NixOS, and putting in place mechanisms that allow us to deliver the most up-to-date, secure software whenever it is available in a way that can be sustained given our maintainer capacities.
Specifically, by the end of the year this will provide the Nix community with three major improvements to the ecosystem’s security story:
- A state-of-the-art vulnerability tracker for Nixpkgs
- TPM2-based UEFI Secure Boot for NixOS
- A full-source bootstrap chain for the Standard Environment (
stdenv) in Nixpkgs
Check the submitted project description for details on the planned deliverables.
All of these three capabilities combined in one software distribution will be quite a unique feature in the open source world.
Nix is not only particularly suitable to support that with declarative, immutable configurations making highly intricate setups tractable.
The Nix ecosystem also needs them very much due to its immense size, growing popularity, and the resulting attack surface.
I’m quite excited about this happening, and proud to be part of it.
This effort will, with time, greatly improve the security situation for most Nix and NixOS users by default.
And it will also very likely further boost adoption of Nix and NixOS in security-sensitive software development communities.
It’s already an amazing showcase of community collaboration, and a perfect opportunity to show yet another time what’s possible with Nix.
@raitobezarius will work on the boot chain security part, together with @nikstur and @lheckemann. @raitobezarius is a Nixpkgs security contributor and reviewer of security fixes, the and was release manager for NixOS 23.05. @nikstur is one of the maintainers of lanzaboote, and @lheckemann is a prolific long-term contributor to Nixpkgs and NixOS, having managed the releases of NixOS 19.03 and 19.09 as well as being a member of the security team and the RFC Steering Committee.
@thubrecht will set up the web service for the vulnerability tracker and collaborate with the Nixpkgs security team to address their requirements.
The bootstrapping work is led by @emilytrau, who kickstarted the minimal bootstrap project and is involved in the community that delivered the Guix full-source bootstrap.
I will support the team with administrative tasks, external communication, and documentation reviews.
Thank you very much to everyone who made this possible!
Special thanks to the NixOS Foundation board (@edolstra, @domenkozar, @regnat, @ron, @zimbatm) for both financial and moral support with the application process.
Extra special thanks to @proofconstruction for sitting through the arduous last checks of the project descriptions.
The Sovereign Tech Fund (STF) invests in many other open source projects you may be interested in. Check out their announcements for this year’s funding round. STF supports the development, improvement, and maintenance of open digital infrastructure in the public interest. Its goal to strengthen the open source ecosystem sustainably, focusing on security, resilience, technological diversity, and the people behind the code. STF is funded by the German Federal Ministry of Economics and Climate Action (BMWK) and hosted at and supported by the German Federal Agency for Disruptive Innovation GmbH (SPRIND).
Stay tuned for updates, and get in touch if you have any questions.