Brussels / 3 & 4 February 2024

schedule

Remediating thousands of untracked security vulnerabilities in nixpkgs


Through vendoring, many packages in nixpkgs end up including obsolete and vulnerable versions of their dependencies. This is especially prevalent for Rust, Go, JavaScript, Java and .NET software using strict lockfiles. How bad is the current situation really? What can nixpkgs contributors do to improve it?

Speakers

Photo of Pierre Bourdon (delroth) Pierre Bourdon (delroth)

Attachments

Links