top | item 46099714

(no title)

foxheadman | 3 months ago

Reading the NixOS release notes every 6 months is how I learn about new software that I might want to try: https://nixos.org/manual/nixos/stable/release-notes#sec-rele...

For my first few years of NixOS I didn't understand the point of the NixOS stable releases, since even on "nixos-unstable" I found that if my nix config evaluates, then it'll work. And in the very rare case things broke, I could easily rollback.

NixOS stable, for me, provides API stability. I can leave a machine auto-updating, and be confident that my nix config will continue to be compatible, and thus build.

Thanks to the release managers for the work that goes into this!

discuss

viraptor|3 months ago

There's still the data migration issue. If you follow unstable all the time, an app may update its data files or databases at startup. Then, you can still roll back the binaries, but they'll just refuse to work (best case) or corrupt the unknown data format (worst case).

foxheadman|3 months ago

Yes, it's worth having ~hourly snapshots of your machine, using something like: https://github.com/digint/btrbk

exe34|3 months ago

You can still roll-forward specific apps - use the up to date ones if you really need to.

rkomorn|3 months ago

Indeed.

As soon as lanzaboote works with stable, I'll go back to stable (but I think that is not the case yet, sadly).

Lowkey plug for lanzaboote though. Getting secure boot working went pretty well for me thanks to it.

jchw|3 months ago

Does Secure Boot with NixOS even make sense? In an ordinary Secure Boot setup, you get the kernel/initrd/etc. with signatures from a trusted vendor, but with NixOS it is going to obviously sign everything locally. That means that you are not protected against bootkits and a root compromise is still just as bad as ever.

I suppose in combination with LUKS you could at least prevent evil maid attacks, to the extent that your machine's firmware is actually secure, but it seems like a lot of work for just that...

foxheadman|3 months ago

+1.

I'm keen for secure boot and TPM FDE, and would like to see lanzaboote in nixpkgs.

telotortium|3 months ago

Following up on this, has anyone tried this and seen how well it works in practice?

“ Speedify, a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as services.speedify.”