NixCon 2025

Maintaining NixOS Stability for Years: CRA Compliance without Re-Certification
2025-09-06 , Aula (4.101)

Shipping NixOS into products presents two challenges: the EU Cyber Resilience Act demands years of vulnerability management, SBOMs, and „security by design.“ Additionally, every OS upgrade can necessitate costly re-certifications.

A pragmatic solution is to offer long-term support for specific NixOS releases (24.05, 26.05, …) and maintain a minimal, test-gated backport stream. This approach aligns with CRA obligations and avoids the re-certification cycle associated with frequent release changes.

This approach is packaged as Ctrl-OS (Cyberus Technology Resilient Linux): a community-oriented NixOS LTS with a five-year support period, CRA-readiness, CVE tracking with continuous patch delivery, and SLAs with guaranteed fix timelines.

The key takeaways are vendor-agnostic: strategies for mitigating re-certification risk and demonstrating security maintenance while adhering to the Nix philosophy.

Furthermore, we will outline our plans for upstreaming and how to participate in the Ctrl-OS Open Beta to contribute to the development of a sustainable LTS narrative for NixOS.