2025-09-06 –, Aula (4.101)
Shipping NixOS into products presents two challenges: the EU Cyber Resilience Act demands years of vulnerability management, SBOMs, and „security by design.“ Additionally, every OS upgrade can necessitate costly re-certifications.
A pragmatic solution is to offer long-term support for specific NixOS releases (24.05, 26.05, …) and maintain a minimal, test-gated backport stream. This approach aligns with CRA obligations and avoids the re-certification cycle associated with frequent release changes.
This approach is packaged as Ctrl-OS (Cyberus Technology Resilient Linux): a community-oriented NixOS LTS with a five-year support period, CRA-readiness, CVE tracking with continuous patch delivery, and SLAs with guaranteed fix timelines.
The key takeaways are vendor-agnostic: strategies for mitigating re-certification risk and demonstrating security maintenance while adhering to the Nix philosophy.
Furthermore, we will outline our plans for upstreaming and how to participate in the Ctrl-OS Open Beta to contribute to the development of a sustainable LTS narrative for NixOS.
