| 20 Oct 2025 |
 Albert Larsan | There exists the FORBIDDEN internal-only RUSTC_BOOTSTRAP=1 env var IIRC if you want to use nightly features on stable, but you shouldn't. | 20:41:25 |
| 21 Oct 2025 |
 dramforever | don't grep RUSTC_BOOTSTRAP in nixpkgs | 04:43:27 |
|  Andrew Zah set a profile picture. | 09:49:41 |
 Sandro 🐧 | A friendly reminder about https://github.com/NixOS/nixpkgs/pull/451179 | 14:38:56 |
 niklaskorz | tested two meson-based packages and they build fine | 22:04:06 |
| niklaskorz | so from my perspective there have been enough reference packages in the comments that show this is good to go as-is | 22:07:08 |
| Sandro 🐧 | nice, thank you | 22:41:13 |
| niklaskorz | let's give Alyssa Ross same more time to react but otherwise I'd merge it tomorrow | 23:03:49 |
| niklaskorz | In reply to @hexa:lossy.network
ugh, I'm rewriting that After going through the relevant Cargo.tomls in servo and mozjs I can only conclude that this is the correct behavior | 23:17:46 |
| niklaskorz | I don't have an answer yet why cargo metadata would try to fetch a dependency that's disabled by default though | 23:18:10 |
 hexa | there is --locked for cargo metadata, but mozjs doesn't lock anything | 23:20:26 |
| hexa | and --offline is likely going to fail, because it can't fetch? | 23:20:44 |
| hexa | * and --offline is likely going to fail, because it can't fetch | 23:20:45 |
| hexa | but that would imply patching cargo_metadata | 23:21:22 |
| hexa | * but that would imply patching cargo\_metadata | 23:21:26 |
| hexa | * but that would imply patching cargo_metadata | 23:21:28 |
| 22 Oct 2025 |
| niklaskorz | Seeing what's it used for, i.e., determining the include path inside another crate, it seems easier to just replace the whole detection instead (so just the invocation of that function) | 06:56:07 |
| niklaskorz | * Seeing what it's used for, i.e., determining the include path inside another crate, it seems easier to just replace the whole detection instead (so just the invocation of that function) | 06:56:30 |
| niklaskorz | testing that now, let's see | 07:52:35 |
| niklaskorz | it's still building so I guess that's a good sign | 08:10:06 |
 Alyssa Ross | thanks for the ping. I'll look today. Catching up after having been sick. | 09:30:07 |
| niklaskorz | * let's give Alyssa Ross some more time to react but otherwise I'd merge it tomorrow | 09:30:42 |
| niklaskorz | hexa: build passing 👀 | 09:34:58 |
| niklaskorz | 
Download grafik.png | 09:35:32 |
| niklaskorz | sending the diff as a PR review in a moment | 09:36:07 |
| 23 Oct 2025 |
| niklaskorz | https://nvd.nist.gov/vuln/detail/CVE-2025-62518 | 22:04:02 |
| niklaskorz | "tarmageddon" | 22:04:25 |
| niklaskorz | Doesn't really seem to be used outside uv fortunately (which was already bumped to the fixed release) | 22:08:43 |
| niklaskorz | Oh nvm we do have some other affected Rust packages (that don't have a fixed release) | 22:10:06 |
| niklaskorz | ripgrep-all at least | 22:11:37 |
