COMSEC - 2024-05-04 - Meeting notes

2024-05-04 Meeting notes

Start: 17:00 (UTC+1)

  • minion (Skyler Grey)
  • jakehamilton (Jake Hamilton)
  • nat-418
  • dfh (Olly)
  • c8h4 (Christoph Heiss)


  • Introduction round
  • Vision
    • [nat] GUIX has a better security story
    • [dfh] Gentoo has security much more available, directly integrated into the standard utils that manage the system
    • How can we know what CVEs apply to us?
    • [dfh] I’m inspired by the Debian and Gentoo teams, I think they do a really great job at security. I would like to build something with similar quality
    • [nat] Aux should have a “blessed” way
      • Flakes/non-flakes is a split, and I can’t help across the divide
      • Aux should have like “aux secrets manager” [rather than sops-nix, age-nix, etc.]
      • [dfh] The term “blueprints” comes to mind … I want to bounce that a little towards the documentation team
        • I like the idea of security templates
        • It seems somewhat like the “module contracts” idea descriped at NixCon NA
          • [jakehamilton] That reminds me of how some k8s APIs are set up, for example you can have an “ingress provider” but it can be handled by different providers and it works the same
            • This would let us be a lot more nimble, as things tend to get tied in to a specific implementations
              • [minion] I’ve faced this with caddy/nginx in nixpkgs before
  • How is best to start?
    • [dfh] Jake Hamilton, how is it best to start off a security SIG?
    • [jakehamilton] I wonder if this should be a committee instead, as it’s more of an orgwide thing. Most of the SIG/Committee divide comes from k8s
      • A committee is handling more meta-tasks, not actual projects. Security committee could take care of the ongoing security tasks and form/ call on SIGs for (groups of?) projects (such as a “Secrets Management SIG” or “SELinux SIG” or “Secure Boot SIG”)
      • The committee would/ could set (technical) standards
  • [jakehamilton] One thing that’s come up a lot is “How do we drive things”
    • In the nix world, everything is third-party
    • They’re far more important than that, we need them to be 3rd-party, integrated and cohesive!
    • e.g. secrets management should be just a part of the project
  • [dfh] “Becoming coordinated with a security approach” is hard, and normally starts with a lot of thinking… you don’t necessarily want to maximize security. Maybe we should start by writing out a security story and getting people, SIGs, etc. on the same page
  • [dfh] How do we get a committe started
    • [jakehamilton]
      • Just do, messy (good enough) is OK for now.
      • Committees/ SIGs/ working group established with a charter and a formal process [k8s-community]


  • SIGSEC will become a committee
    • Overseeing the “security story” for Aux
    • Easier to spin off specialized SIGs
    • TODOS
      • Rename forum categories
      • Rename github teams
      • (skyler+dfh) Writing a “security story” partly fictional, partly technical
        • Community structure similar to kubernetes structure [k8s-community]
      • (dfh) Add a when2meet link up for the next conversation


  • [jakehamilton] This idea feels
  • [dfh] This call felt really nice



Look like it’s was an interesting meeting :smiley: lot of good idea


Yeah! You wanna participate? :wink: #NerdSnipe


yes i would like too sound fun, not sure if my timezone will align i’m in UTC+02 :grin:


Last meeting was

So I’m pretty sure your good.

1 Like

Well if you want to invite me i would be happy to join :grin:

1 Like

Everyone is invited! See 2024-05-04 -- First SIG Security Call for more details on this meeting, I imagine there’ll be a similar agenda post for next week


Sweet, thanks a lot :+1:

I wanna start building a self-signup process for COMSEC, would you mind testing that you can request membership to these 2 groups plz?

1 Like

i request to join the 2 groups

1 Like

Request accepted. (filler words)

1 Like