On the Road to NixOS LTS with CTRL-OS

Ever since we announced our plans to provide long-term support for NixOS we keep getting this question “How are you planning to provide long-term support for all 120,000 packages in nixpkgs?” The short answer is You can’t. The good news is You don’t need to.

In this post we will explain how long-term support for NixOS looks like in practise, how Cyberus makes CTRL-OS sustainable as a long-term partner for regulated industries, and how we address challenges in supply chain security, the Cyber Resilience Act and other industry regulations.

Why NixOS long-term support is necessary

Current and upcoming cybersecurity regulation, such as the Cyber Resilience Act (CRA) in the European Union, focus on supply chain security and sustainable devices. CTRL-OS helps meet the obligations of the CRA by ensuring software is supported and maintained for 5 years.

Embedded Devices vendors need stability for their devices. Often other certifications and safety considerations necessitate a software platform that sees security and bug fixes but stays stable otherwise.

What is supported and kept stable in CTRL-OS?

For the current, freely available version of CTRL-OS, our downstream NixOS distribution with long-term support, we decided to support the release-small package set. This should include enough packages for most people to get started with a stable and supported base system. This approach ensures we can deliver reliable support without compromising quality.

Our customers can request additional packages to be included in the supported base. On a technical level, this happens by providing us with a Software Bill of Materials (SBOM). The Nix base is quite nice here, as Nix makes it really easy to generate a complete SBOM of your product.

CTRL-OS gives you predictability: You know exactly what is supported and for how long. No surprises.

We will then make sure that the selected packages are updated with bugfixes (minor and patch updates) from the upstream projects for 5 years after release of the original NixOS version. Occasionally we might add a new major version to a release as an add-on, if requested or otherwise necessary. Since the Nix base makes it easy to provide multiple versions of the same package we can do this without introducing a breaking change.

We’re also planning to keep the NixOS modules stable within a release.

How will you keep up with it all?

We currently use multiple sources of information to keep up to date with software releases. Since the upstream tooling is built mostly for getting the latest and greatest versions of software, we had to roll our own tooling.

CTRL-OS reduces the risk associated with running older stable versions of NixOS. CVEs are patched with predictability.

We are running an instance of Dependency Track that is fed with an SBOM generated from the complete list of packages (release-small + all customer SBOMs + internal SBOMs) with the current versions shipped in CTRL-OS. This tells us about known issues in supported software. The graph above shows the numbers of CVEs over time. Note that before we started updating the packages, about 80 CVEs had accumulated in NixOS 24.05. The graph now shows 4, which are all in a single package (libtiff).

Another component we have built is tooling that tells us about updates in upstream software. Currently the tooling creates issues in our internal issue tracker, which allows us to analyze and triage the updates and decide whether we should apply them in CTRL-OS or not.

What this means for you as a CTO: fewer security headaches, clear visibility into vulnerabilities, and proactive patch management.

Try CTRL-OS

You can try CTRL-OS today. If your systems are still on NixOS 24.05 it is a drop-in replacement. Just change your inputs (flake or channel are both supported) to <https://channels.ctrl-os.com/channel/ctrlos-24.05.tar.xz>and update your system. Head to the CTRL-OS documentation for a more in-depth explanation of what needs to be done.

You can also join our Matrix room: https://matrix.to/#/#ctrl-os:cyberus-technology.de or sign up for our newsletter to keep up to date with what we’re doing!

Are you responsible for product compliance? Get in touch with us to discuss how CTRL-OS ensures you meet regulatory obligations.