I ran Gentoo for ~15 years and then switched to NixOS ~3 years ago. The last straw was Gentoo bug 676264, where I submitted version bump & build fix patches to fix security issues and was ignored for three months.
In Gentoo, glsa-check
only tells you about security vulnerabilities after there's a portage update that would resolve it. I.e., for those three months, all Gentoo users had a ghostscript with widely-known vulnerabilities and glsa-check was silent about it. I'm not cherry-picking this example—this was one of my first attempts to help be proactive about security updates & found that the process is not fit for purpose. And most fixed vulnerabilities don't even get GLSA advisories—the advisories have to be created manually. Awhile back, I had made a 'gentle update' script that just updated packages glsa-check complained about. It turns out that's not very useful.
Contrast this with vulnix, a tool in Nix/NixOS which directly fetches the vulnerability database from nvd.nist.gov (with appropriate polite local caching) and directly checks locally installed software against it. You don't need the Nix project to do anything for this to Just Work; it's always comprehensive. I made a NixOS upgrade script that uses vulnix to show me a diff of security issues as it does a channel update. Example output:
commit ...
Author: <me>
Date: Sat Jun 17 2023
New pins for security fixes
-9.8 CVE-2023-34152 imagemagick
-7.8 CVE-2023-34153 imagemagick
-7.5 CVE-2023-32067 c-ares
-7.5 CVE-2023-28319 curl
-7.5 CVE-2023-2650 openssl
-7.5 CVE-2023-2617 opencv
-7.5 CVE-2023-0464 openssl
-6.5 CVE-2023-31147 c-ares
-6.5 CVE-2023-31124 c-ares
-6.5 CVE-2023-1972 binutils
-6.4 CVE-2023-31130 c-ares
-5.9 CVE-2023-32570 dav1d
-5.9 CVE-2023-28321 curl
-5.9 CVE-2023-28320 curl
-5.9 CVE-2023-1255 openssl
-5.5 CVE-2023-34151 imagemagick
-5.5 CVE-2023-32324 cups
-5.3 CVE-2023-0466 openssl
-5.3 CVE-2023-0465 openssl
-3.7 CVE-2023-28322 curl
diff --git a/channels b/channels
a/channels +++ b/channels @@ -8,23 +8,23 @@ [nixos] git_repo = https://github.com/NixOS/nixpkgs.git git_ref = release-23.05 -git_revision = 3a70dd92993182f8e514700ccf5b1ae9fc8a3b8d -release_name = nixos-23.05.419.3a70dd92993 -tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.419.3a70dd92993/nixexprs.tar.xz -tarball_sha256 = 1e3a214cb6b0a221b3fc0f0315bc5fcc981e69fec9cd5d8a9db847c2fae27907 +git_revision = c7ff1b9b95620ce8728c0d7bd501c458e6da9e04 +release_name = nixos-23.05.1092.c7ff1b9b956 +tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.1092.c7ff1b9b956/nixexprs.tar.xz +tarball_sha256 = 8b32a316eb08c567aa93b6b0e1622b1cc29504bc068e5b1c3af8a9b81dafcd12