From fe346379e335f2f44f938972dfc8e9c0b613bb2e Mon Sep 17 00:00:00 2001
From: Kevin Amado <kamadorueda@gmail.com>
Date: Sat, 24 Sep 2022 16:51:01 -0600
Subject: [PATCH] feat(doc): #919 info disclosure

- Write an information disclosure threat and
  how we mitigate it

Signed-off-by: Kevin Amado <kamadorueda@gmail.com>
---
 docs/src/SUMMARY.md               |  1 +
 docs/src/security/threat-model.md | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
index fcbf748e..66bed09a 100644
--- a/docs/src/SUMMARY.md
+++ b/docs/src/SUMMARY.md
@@ -9,6 +9,7 @@ SPDX-License-Identifier: MIT
 - [Contributing](./contributing/README.md)
 - [Governance](./governance/README.md)
 - [Security](./security/README.md)
+  - [Design Principles](./security/design-principles.md)
   - [Software Assurance](./security/assurance.md)
   - [SLSA](./security/slsa.md)
   - [Threat Model](./security/threat-model.md)
diff --git a/docs/src/security/threat-model.md b/docs/src/security/threat-model.md
index 5e645ea1..251e9c87 100644
--- a/docs/src/security/threat-model.md
+++ b/docs/src/security/threat-model.md
@@ -80,6 +80,34 @@ SPDX-License-Identifier: MIT
 
 ## Information Disclosure
 
+- Although the `/nix/store` is individual per user,
+  a user may write secrets to it,
+  and then those secrets can be published to a binary cache
+  that is publicly accessible.
+
+  Mitigation:
+
+  - Makes has utilities for working with secrets in a way
+    that they are only copied to the `/nix/store`
+    in encrypted form,
+    and then decrypted at runtime,
+    where there are safe from disclosure.
+  - Makes copies the contents of the git repository
+    into a trusted control plane,
+    and excludes all of the files
+    that are not tracked by Git
+    from this checkout.
+  - Nothing from the `/nix/store`
+    is pushed to a binary cache by default.
+    A user would need to configure the cache explicitly,
+    and expose the corresponding secret
+    in an environment variable.
+  - Makes has support for binary caches
+    that are not publicly accessible as well,
+    so a user may chose to use this instead
+    as an extra layer of prevention.
+    Please see <https://cachix.org/> for more information.
+
 ## Denial of Service
 
 ## Elevation of Privileges