Vulnix: New maintainer needed

Unfortunatly, I don’t have time to continue the maintainership of vulnix nor am I able to prepare any more vulnerability roundups. We have had some discussions at last year’s NixCon but they did not result in an actionable plan.

So I reach out to the community today if someone would be willing to take over.

Big thanks to everyone who contributed suggestions, feature requests and patches. And apologies that I was not able to take care of them appropriately during the last year or so.

Vulnix maintainership issue: Looking for a new maintainer for vulnix · Issue #87 · nix-community/vulnix · GitHub

See also: The future of the vulnerability roundups @ discourse

I would suggest as a first measurement to transfer the repo to nix-community

@Mic92

I am interested in contributing to maintaining vulnix

I also wanted to mention that I have been using GitHub - tiiuae/sbomnix: A suite of utilities to help with software supply chain challenges on nix targets in a project, and that this project in turn relies on GitHub - henrirosten/vulnix: Vulnerability (CVE) scanner for Nix/NixOS. an updated fork of the original vulnix project.

I would also be happy to contribute to maintenance if it was moved to the nix-community org as previously suggested.

This sounds really exciting! I’m glad that you guys are willing to take care of the project. And I would completely appreciate changing the tool to support a SBOM-based workflow. This would improve modularity.

@ctheune Would you be so kind to transfer the repo if you are fine with this as well? I cannot do this.

Sure, aside from the mechanical part of transferring the repo. What kind of license transfer mechanics do we need to go through?

I’m no lawyer, but I don’t expect license itself needs to change, just generalize the lines that claim that copyright belongs (fully) to Flying Circus, at least in files where other people make significant changes (i.e. AFAIK no action needed immediately).

So typically I’d expect that the foundation needs a copyright assignment when doing a transfer like this. I’m happy to scrub the copyright headers (this is all mushy anyway WRT German copyright law) while under our control to make this more explicit regarding the history. I’m unsure who is in charge about copyright etc. – the github organisation page didn’t help.

nix-community is not really an organisation per se (neither is associated with the NixOS Foundation) if you are talking about this.

The foundation exists as a legal entity, but I see no need for it to own copyright of this tool. I don’t think it owns any code so far; copyright just remains with individual authors – which saves the need for copyright assignments.

nix-community is in fact a non-profit organisation: Nix Community - Open Collective and a legal entity in at least Belgian

Update it’s actually not nix-community is a non-profit but the Opencollective Europe is. My mistake.

nix-community does not need a copyright assignment unless it want’s to change the license. However this won’t be needed I’d say: BSD-3 is fine: https://github.com/flyingcircusio/vulnix/blob/c0f81569f1780c15f6c000e68dca0a01fc1fec76/LICENSE

Alright, my intention was to ensure whoever receives it is on the safe side. Let me know which button I should press to get it transferred.

I’d be happy to make progress, what’s the proper way to ping around here? @Mic92 ?

I have invited you to the nix-community org.
This gives you access to transfer the repository from the github project settings page.

Once that’s been done I will set up a team to manage repo access.

Great, thanks! I’ve transferred the repo!

I have set up a vulnix team and added both you and @ckauhaus as maintainers.
You’re all set in the nix-community org for now.

I’ve also created a PR to move the CI over to Github Actions which is what most nix-community projects uses for CI.
This will give you access to the nix-community binary cache.