The Nixpkgs Security Tracker is a web service for managing information on vulnerabilities in software distributed through Nixpkgs.
This software is currently in prototype stage. A demo deployment is available at https://tracker.security.nixos.org.
This tool is eventually supposed to be used by the Nixpkgs community to effectively work through security advisories. We identified three interest groups that the tool is going to address:
Nix security team members use this to access an exhaustive feed of CVEs being published, in order to decide on their relevance, link them to affected packages in Nixpkgs, notify package maintainers and discuss the issue with other team members.
Nixpkgs package maintainers are able to get notified and receive updates on security issues that affect packages that they maintain. By discussing issues with security team members and other maintainers, they can further help on figuring out which channels and packages are affected and ultimately work on fixes for the issue.
Nixpkgs users are able to subscribe and stay updated on ongoing security issues that affect the packages they use.
Please see the Contributing Guide for more information on how to get started.
-
2023
The prototype was funded through the Sovereign Tech Fund "Contribute Back Challenge" 2023 investment, after a successful application with a proposal to strengthen NixOS security infrastructure.
-
2024
Production deployment got delayed due to technical and organisational challenges, with slow progress on volunteered time past the original schedule.
Remaining work was picked up end of the year, and concluded with a demo to the NixOS security team.
-
2025
Continued development of the Nixpkgs security tracker funded via Tweag, as part of a larger effort to improve robustness of the Nix ecosystem.
The NixOS security team started productive use, publishing and addressing numerous security issues.