Change security policy to report directly to the Nix team

[roberth]

Describe the bug

The security policy https://github.com/NixOS/nix/security/policy requires reporting to the NixOS security team, but that indirection seems (EDIT: seemed to me) unnecessary and counterproductive, as it is important to work towards a patch ASAP.

I understand that @NixOS/security may want to be involved. Could we change the process so that the Nix team gets in touch with the security team instead? I believe their involvement is most relevant towards the end of the process.

Additional context

Priorities

Add :+1: to issues you find important.

[mweinelt]

We, @NixOS/security are the first contact point, who immediately get in contact with a nix team member (most often Theophane in the past, but also Tom), to get the reporting party into a room with the team. This has happened ~5 times in the last 12 months with mixed success, but we've always reached out to the nix team within a few hours that we got the report.

We don't strictly want to be involved, but having someone external involved to make sure we adhere to some kind of deadline is crucial. If something won't be fixed, we still need to issue an advisory. If things stay internal at the nix team I fear we may never hear of some issues.

[roberth]

having someone external involved to make sure we adhere to some kind of deadline, which is crucial

That happens to be exactly what has failed this time, and I didn't even know you would also be responsible for that.

we've always reached out to the nix team within a few hours that we got the report.

That's good to know, but I think it may still lead to a perception that the reporting process is too contrived. I don't think this is the core of the problem however.

mixed success

Maybe it's because I haven't been assigned to any security issues, but this seems to have had no consequences that I'm aware of. Monitoring a process is useless if no corrections are made, and oh boy should we the Nix team have been corrected, I am disgusted to find out.

[fricklerhandwerk]

It would help just as well to make inter-team communication more predictable. Having a channel shared between Nix maintainers and the security team would be one way of improving reliability. Or clearly delineate responsibility and grant the right permissions so the security team can open advisories, which could be the single source of truth for maintainers.

[Ericson2314]

Reaching out to one Nix Team member is absolutely unacceptable in that it creates a single point of failure, and too much indirection. We need to end up with single communication channel with contains at least (a) the reporter and (b) the entire Nix team.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-10-30-nix-team-meeting-minutes-190/55845/1

[mweinelt]

Reaching out to one Nix Team member is absolutely unacceptable in that it creates a single point of failure, and too much indirection. We need to end up with single communication channel with contains at least (a) the reporter and (b) the entire Nix team.

At no point did we just reach out to one Nix Team member without immediately getting all involved parties into a room. I don't know where this idea is coming from, that we would fall victim to a SPOF in this process.

We don't strictly want to be involved, but having someone external involved to make sure we adhere to some kind of deadline is crucial. If something won't be fixed, we still need to issue an advisory. If things stay internal at the nix team I fear we may never hear of some issues.

How would you address this point then, given that some triage rooms had been open for months with me regularly asking for progress towards the end?