this post was submitted on 25 Jun 2023
13 points (100.0% liked)
nixos
1262 readers
8 users here now
All about NixOS - https://nixos.org/
founded 4 years ago
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How are packages marked as insecure? I assume that's from some sort of automatic build process? Is that done in Hydra (https://hydra.nixos.org/)? Or is that from manual, or a lack of manual review?
I'll be honest, I have no idea. Sometimes, I get nagged that a package is insecure, and it seems reasonable like an old version of Electron, and then I just sigh and add it to my list of packages to ignore that warning on.
I didn't find anything concrete, but it seems that a package is automatically marked insecure if it has a dependency that has a known CVE. I wonder how that is done.
Manually.
There have been efforts to automate this partially but they've stalled.