I ran Nixos for a few months from Dec 25 to Mar 12 of this year. During that time there were 2 zero-day exploits published for Chrome that went unpatched for weeks on Nixos. (Specifically the package named google-chrome went unpatched.)

This was on the "unstable" branch of Nixos, the branch that became the stable branch today, which is the occasion of this story on HN we are commenting on.

Digression: the reason I chose the unstable branch instead of the then-stable branch (named Nixos-20.09) was that I wanted to achieve an "all-Wayland" environment as quickly as practical (and in fact all of the apps running on my machine right now and for the past few weeks talk directly to Wayland without the interposition of Xwayland). And the reason I wanted to jump ahead to an all-Wayland system is that although I knew Linux pretty well, I knew very little about X11, and I reasoned that since X11 is slowly going away anyways, I would prefer to avoid spending any time learning about it and would prefer to avoid having to get used to its quirks. (End of digression.)

You cannot just install Chrome from Google's web site on Nixos: unless someone has compiled it for you, you have to compile it from source and more distressingly you have to configure the compilation extensively to have any hope of the resulting binary actually running. For example, glibc on Nixos is not in a standard location, but rather all of the files in the glibc package are under a directory with a name like /nix/store/8f9f6724fd2341d9f2bc758cf9e43830d23d37a3-glibc. Well, of course the code that compiles Chrome needs to be informed of that location and of the locations of all of the other packages it relies on, e.g., the system's libraries for drawing GUIs on the screen. This job of configuring the compilation is mostly easily done by writing something similar to a declarative build script in the Nix language, so of course that means I would've had to learn a new programming language in order to patch the zero-day exploit in Chrome before the maintainer of the google-chrome package got around to it (which I never did).

Sadly, I did not have time back then in early March to install the stable version of Nixos to determine whether these zero-day exploits had remained unpatched there, too. (I did verify that the package "chromium" was at the same vulnerable version as the package "google-chrome" was.) So I guess the purpose of this comment is that there are preliminary signs (namely, the fact that nowhere was I warned that the unstable branch might have gaping security holes) that Nixos does not get as much attention from security-knowledgeable maintainers as some of the other Linux distros do -- or at least that the security attention it gets is concentrated on server use cases with desktop use cases being relatively neglected.

For anyone willing to help the Nix project, there's a script[1] you can use in the Nixpkgs repo to update the official Nix package for Chrome. If you ever feel that Chrome needs to be updated immediately, you can help out by running this script and opening a PR.

[1]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applicatio...

---

Now, back to point, security issues are not "neglected" in NixOS, and most of the points made are simply not true. Security vulnerabilities are rounded up on a regular basis. However, like many open source projects, Nix is mostly being worked on by volunteers and I don't believe it's fair to spread doubts just because they don't get fixed in a day or two.

Let me also clarify the remaining points.

First, the parent comment alleges that the Chrome package in Nixpkgs has been neglected. This is not the case. Looking at the commit logs[2], the Chrome package has been updated on a frequent basis "from Dec 25 to Mar 12 of this year."

Second, the parent comment argues that installing your preferred version of Chrome is "distressingly" impossible. Again, this is false. Installing your preferred version of Chrome using Nix is as simple as supplying an alternative upstream URL for the google-chrome package. This happens to be one of the major selling point of Nix, how it makes it easier to reuse and customize existing package definitions without friction.

[2]: https://github.com/NixOS/nixpkgs/commits/master/pkgs/applica...

>I don't believe it's fair to spread doubts

I think it is fair as long as I make it clear (which I hope I have) that I didn't investigate fully after I saw some warning signs.

>spread doubts just because they don't get fixed in a day or two.

I am not a security expert, but tptacek is, and in 2017 he wrote that "You don't want your browser to be any number of days behind the Chromium patch cycle."[1] IIRC, tptacek or someone of similar credibility said that the browser and the kernel are the primary targets of zero-days exploits on a desktop Linux install.

[1] https://news.ycombinator.com/item?id=13517227

Also let's see how another party handles patches for Chrome: the Arch User Repository's Chrome package (not an official part of Arch Linux) "will automatically get updated as soon as the Debian package is available. This is checked at least once per hour."[2]

There are many many things a distro needs to get right to compete with, e.g., Debian or Fedora on all the criteria desktop Linux users care about. It is not easy. My thanks to Nixos's maintainers for investing their time in trying to advance the state of the art. But Linux users invest a lot of time, too, and in chiming in today I did so because I thought I could save Linux users some time by presenting my conclusions after spending many 10s of hours installing and exploring Nixos.

[2] https://aur.archlinux.org/packages/google-chrome/

>Installing your preferred version of Chrome using Nix is as simple as supplying an alternative upstream URL for the google-chrome package.

Please correct me if I am wrong: this requires building Chrome from source, which will spike the user's CPUs for hours and is impossible with less than 8 megs of RAM ("More than 16GB is highly recommended")[3]

[3] https://chromium.googlesource.com/chromium/src/+/HEAD/docs/l...

That's wrong. The google-chrome packages in nixpkgs are "built" by downloading the official releases (in .deb format I think) and massaging them a little. It takes a few seconds.

When the zero-days came out, I just updated the upstream-info.json file in my local nixpkgs checkout (look at previous chrome version bump commits for how to do it) and rebuilt my system. I didn't have to wait for any PRs or merges or CI/hydra. Granted, it requires a little nix knowledge, but if you've been running nixos you can probably figure out how to do it in a few minutes.

For anyone reading along, if you visit https://www.google.com/chrome/ from a Linux box, then click the big blue "Download" button, you are offered the choice of a .deb or an .rpm. I take it that that is what parent means by "the official releases".

>massaging them a little. It takes a few seconds.

Interesting and surprising. When I run ldd on my Chrome binary (which comes straight from Google, not my distro), it lists 101 dynamically-linked libraries. I believe that that means that the binary contains references (i.e., file names) to those 101 libraries. Does the massaging process just replace those references (file names) with the appropriate names beginning with "/nix/store/"? I.e., does the massaging process edit the binary?

(If so, I'm a little surprised, what with how paranoid Google is, that Chrome doesn't refuse to start because the binary has a different checksum!)

It's a key part of how nix works.