For anyone willing to help the Nix project, there's a script[1] you can use in the Nixpkgs repo to update the official Nix package for Chrome. If you ever feel that Chrome needs to be updated immediately, you can help out by running this script and opening a PR.
Now, back to point, security issues are not "neglected" in NixOS, and most of the points made are simply not true. Security vulnerabilities are rounded up on a regular basis. However, like many open source projects, Nix is mostly being worked on by volunteers and I don't believe it's fair to spread doubts just because they don't get fixed in a day or two.
Let me also clarify the remaining points.
First, the parent comment alleges that the Chrome package in Nixpkgs has been neglected. This is not the case. Looking at the commit logs[2], the Chrome package has been updated on a frequent basis "from Dec 25 to Mar 12 of this year."
Second, the parent comment argues that installing your preferred version of Chrome is "distressingly" impossible. Again, this is false. Installing your preferred version of Chrome using Nix is as simple as supplying an alternative upstream URL for the google-chrome package. This happens to be one of the major selling point of Nix, how it makes it easier to reuse and customize existing package definitions without friction.
I think it is fair as long as I make it clear (which I hope I have) that I didn't investigate fully after I saw some warning signs.
>spread doubts just because they don't get fixed in a day or two.
I am not a security expert, but tptacek is, and in 2017 he wrote that "You
don't want your browser to be any number of days behind the Chromium patch
cycle."[1] IIRC, tptacek or someone of similar credibility said that the browser
and the kernel are the primary targets of zero-days exploits on a desktop Linux
install.
Also let's see how another party handles patches for Chrome: the Arch User
Repository's Chrome package (not an official part of Arch Linux) "will
automatically get updated as soon as the Debian package is available. This is
checked at least once per hour."[2]
There are many many things a distro needs to get right to compete with, e.g., Debian or Fedora on all the criteria desktop Linux users care about. It is not easy. My thanks to Nixos's maintainers for investing their time in trying to advance the state of the art. But Linux users invest a lot of time, too, and in chiming in today I did so because I thought I could save Linux users some time by presenting my conclusions after spending many 10s of hours installing and exploring Nixos.
>Installing your preferred version of Chrome using Nix is as simple as
supplying an alternative upstream URL for the google-chrome package.
Please correct me if I am wrong: this requires building Chrome from source, which will spike the user's CPUs for hours and is impossible with less than 8 megs of RAM ("More than 16GB is highly recommended")[3]
That's wrong. The google-chrome packages in nixpkgs are "built" by downloading the official releases (in .deb format I think) and massaging them a little. It takes a few seconds.
When the zero-days came out, I just updated the upstream-info.json file in my local nixpkgs checkout (look at previous chrome version bump commits for how to do it) and rebuilt my system. I didn't have to wait for any PRs or merges or CI/hydra. Granted, it requires a little nix knowledge, but if you've been running nixos you can probably figure out how to do it in a few minutes.
For anyone reading along, if you visit https://www.google.com/chrome/ from a Linux box, then click the big blue "Download" button, you are offered the choice of a .deb or an .rpm. I take it that that is what parent means by "the official releases".
>massaging them a little. It takes a few seconds.
Interesting and surprising. When I run ldd on my Chrome binary (which comes straight from Google, not my distro), it lists 101 dynamically-linked libraries. I believe that that means that the binary contains references (i.e., file names) to those 101 libraries. Does the massaging process just replace those references (file names) with the appropriate names beginning with "/nix/store/"? I.e., does the massaging process edit the binary?
(If so, I'm a little surprised, what with how paranoid Google is, that Chrome doesn't refuse to start because the binary has a different checksum!)
I believe this is the package you are talking about. The significant part is basically bash, so it should be readable without nix knowledge as well. And yeah it basically creates both a wrapper for setting some env variables, but it also replaces some dynamic lib locations with patchelf. So apparently it does startup with a different checksum/validation happens at another level.
[1]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applicatio...
---
Now, back to point, security issues are not "neglected" in NixOS, and most of the points made are simply not true. Security vulnerabilities are rounded up on a regular basis. However, like many open source projects, Nix is mostly being worked on by volunteers and I don't believe it's fair to spread doubts just because they don't get fixed in a day or two.
Let me also clarify the remaining points.
First, the parent comment alleges that the Chrome package in Nixpkgs has been neglected. This is not the case. Looking at the commit logs[2], the Chrome package has been updated on a frequent basis "from Dec 25 to Mar 12 of this year."
Second, the parent comment argues that installing your preferred version of Chrome is "distressingly" impossible. Again, this is false. Installing your preferred version of Chrome using Nix is as simple as supplying an alternative upstream URL for the google-chrome package. This happens to be one of the major selling point of Nix, how it makes it easier to reuse and customize existing package definitions without friction.
[2]: https://github.com/NixOS/nixpkgs/commits/master/pkgs/applica...