[RFC 0127] Nixpkgs "problem" infrastructure #127
Conversation
edolstra
changed the title
edolstra
added
status: open for nominations
|
This RFC is now open for shepherd nominations! |
|
I nominate myself as a shepherd for this RFC. |
|
I will also nominate myself as shepherd. |
|
Two remarks after having a quick glance (sorry if I missed any relevant discussion):
given: meta.problems = {
CVE-2023-XXXX = {};
CVE-2023-YYYY = { message = "duh"; };
}would infer: meta.problems = {
CVE-2023-XXXX = {
kind = "insecure";
url = "https://nvd.nist.gov/vuln/detail/CVE-2023-XXXX";
};
CVE-2023-YYYY = {
kind = "insecure";
url = "https://nvd.nist.gov/vuln/detail/CVE-2023-YYYY";
message = "duh"; };
}The other remark is re: deprecation/removal: These should take a |
I think given the existence of auto-inference, expanding the scope should be non-controversial enough to review as the implementation becomes technically ready for inclusion? Maybe mention in future work. |
Definitely. We should just be careful to keep that path open in the RFC. |
|
Linking to NVD is not the best URL I could imagine. When it comes to security issues, advisories are often a far better understandable resource, than a central database that advertises CVSS scores, which are often so-so. Hence, I don't think auto-referencing NVD is really important here. |
As NVD usually has more or less reasonable summary and links to better write-ups, I think auto-linking NVD when there is no better link provided is useful (and fetching their links is impure so can't be done within Nix). |
I feel like this is security team's call to decide what to do on this and is tangent to this RFC though. |
|
The About generating those automatically, I don't know. I'm not a fan of doing some fuzzy matching on inputs in general, and also is pasting in a link every blue moon really so much effort that it is worth automating away? (https://xkcd.com/1205/ says no) |
I agree with you on the quality statement. :) |
kevincox
added
status: FCP
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-50/29793/1 |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-51/30870/1 |
infinisil
added
status: accepted
and removed
status: FCP
* [RFC 0127] Nixpkgs issues and warnings (NixOS#127) * Add URLs as structured information * Update rfcs/0127-issues-warnings.md Co-authored-by: Linus Heckemann <[email protected]> * Update rfcs/0127-issues-warnings.md Co-authored-by: Linus Heckemann <[email protected]> * Update rfcs/0127-issues-warnings.md Co-authored-by: Linus Heckemann <[email protected]> * Update rfcs/0127-issues-warnings.md Co-authored-by: Linus Heckemann <[email protected]> * Update rfcs/0127-issues-warnings.md Co-authored-by: Linus Heckemann <[email protected]> * Update rfcs/0127-issues-warnings.md * RFC 127 update shepherds * RFC 127 rework * Point out that the previous warnings system was not documented * Rework ignore mechanism * Update rfcs/0127-issues-warnings.md Co-authored-by: Silvan Mosberger <[email protected]> * Update rfcs/0127-issues-warnings.md Co-authored-by: Silvan Mosberger <[email protected]> * Remove "resolved" attribute again * Incorporate review feedback * Rewrite (again) * Rename throw->error, trace->warn * Make meta.problems an attrset * Rewrite *again*, most change is in the configuration options * Review update (WIP) * Review update * Update shepherds list * Meeting update * Typos --------- Co-authored-by: Linus Heckemann <[email protected]> Co-authored-by: Silvan Mosberger <[email protected]>
Rendered
Implementation PR
Matrix discussion room:
#nixos-rfc-127:lossy.networkPre-RFC discussion
Discussion notice: please try to attach all discussions to a thread by using the code review feature. If your comment doesn't refer a specific line to attach to, use the header line instead.