Hey, sorry for the late reply. Thank you for the engagement, I appreciate your post.
The challenge of navigating Nix terminology and executing complex tasks, such as making FHS-based software function, isn’t well-documented. This isn’t just my view; it’s a sentiment shared by others as well, e.g:
“This repository has been archived by the owner on Jul 24, 2024. It is now read-only.”
So, I think it’s not just stalled but actually ignored?
Nevertheless, the ticket I opened on their github issues is still there with no further work being done.
Thank you for confirming it works with Lanzaboote. However, upstream, based on the ticket I mentioned, still struggles to support this by default (unlike Debian/Ubuntu, Fedora…etc which do support SecureBoot by default).
SELinux contradicts the declarative concept of Nix. AppArmor is better suited for NixOS, as noted by edolstra. However, regardless of which is chosen, Nix still needs a mechanism to secure software once it’s installed on the user machine, to prevent malware packages or vulnerabilities like zero-days from compromising the system.
I’m not aware of a real security sandboxing concept implemented in Nix/NixOS yet. The Nix sandboxed environment feature is not a security feature and does not replace AppArmor or SELinux concepts.
Well, it’s already mentioned in that ticket. Enabling auditing doesn’t resolve the issue, as discussed here.
These are two unrelated conversations happening here—one about rootless setups and another about sandboxing. Better not to mix them together.
Now, when you download the upstream ISO image of NixOS, you can install it without an internet connection? If you can make that happen, please show me how it’s possible.
hmm but Whonix is a Tor based project, meaning that all traffic is routed through Tor by default for maximum privacy/security. Read here why repositories better to be onionized/anonymized.
Debian also uses Fastly, but their servers configurations are much better.
If notifying them doesn’t lead to a fix, there’s not much you can do. It’s their server and their responsibility to figure out how to improve their security.
So if i get it correctly, it is still considered an infrastructure problem that hasn’t been fully resolved no?
Oh cool! Awesome news.
Many of the issues I’ve mentioned, which are still unresolved, are not blockers for considering NixOS a viable option, except for the ones that are currently critical (atm):
as mentioned above.
Despite everything, I’ve already opened a ticket to include Whonix/Kicksecure packages: