| 15 Oct 2024 |
 hexa | did you? | 12:03:08 |
 emily | In reply to @hexa:lossy.network
We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.
"in the legacy (pre-Rust) encryption implementation" 🫠| 18:12:28 |
| emily | not libolm itself, but still | 18:12:38 |
| hexa | Where would we store a shared list of bogon cidrs used across various modules? | 18:18:58 |
| hexa | nixos/lib somewhere | 18:19:36 |
| hexa | But I wonder if we have prior art | 18:19:43 |
 ma27 | don't we have some networking functions from gsoc in lib? perhaps there? | 18:22:13 |
| hexa | not sure if that ever landed | 19:10:27 |
| hexa | lib/network apparently | 19:11:03 |
| hexa | lib/network/const.nix it'll be | 19:14:50 |
 f0x | https://github.com/NixOS/nixpkgs/pull/348779 I think this also patches element-web correctly (separate security advisory). Just wanted to confirm since it wasn't mentioned in the PR | 22:35:13 |
| f0x | and if something was done to Hydra for element-desktop, maybe the same also needs to happen for -web? I'm not really sure how that aspect of nixpkgs works, especially for security/backport related stuff | 22:37:18 |
| hexa | good catch | 22:41:11 |
| hexa | wdym with "done to Hydra"? | 22:41:25 |
| hexa | we don't have a separate pipeline for security stuff unfortunately | 22:41:43 |
| emily | kicking Hydra to get an early channel eval maybe? | 22:46:21 |
| hexa | bumped the -small jobsets to front | 22:49:28 |
| hexa | * bumped the -small jobsets to the front of the queue | 22:49:35 |
| f0x | In reply to @hexa:lossy.network
I'm kicking the hydra jobsets next not really sure what it entails, like what you mentioned here for the firefox stuff | 22:49:42 |
| hexa | that meant triggering an evaluation | 22:49:59 |
| hexa | and evaluation results in all jobs being identified and queued for execution | 22:50:17 |
| hexa | that happens on a schedule and I triggered it manually | 22:50:46 |
| f0x | ahh I see. In the meantime also did some searching and looking at the wiki; a fix like this gets backported to release-24.05, which normally would be picked up by Hydra every once in a while but can be manually triggered too, and when the build/tests pass it gets published to the nixos-24.05 branch, which also 'updates' the channel, and cache.nixos.org? | 22:52:45 |
| hexa | build results get pushed to the cache as soon as they finish building | 22:54:49 |
| hexa | and yes, once a jobset has completed all jobs, and its tested set has completed successfully, hydra will update the channel and its correlating github branch | 22:55:24 |
| hexa | result-24.05 -> hydra -> nixos-24.05{,-small} | 22:55:37 |
| hexa | pol created this uml diagram at some point http://www.plantuml.com/plantuml/uml/rPDDYzim48Rl-XKlz984ih3NvB3Rfj2UagKVz3oMnhPgMJBIYDr0VdoziWCrWQM7NlPYHjOpCyzhy6CIYf9xfyIAOnpjo-axjZYqv3qxvC6GS5AfitwWI3qgqbqJG_Rc45o8-63kMTVtIbtcwlBrR29Tb2gZ5L27s2a0U6qRyCJH1cCrENSkhssDrKT_nkzG8MMjEQKwkuSrRCBgp6aDQTaN5DZzYBPfE6A8GRF9aI5XreIUhDE-m6F1MFcmdaxUsFfQJIgp6wWXwzyoZ3mmoMmmvxlwF6NdokA64-eOUdonqkPg_rSddblhHfT3mM1OM0kR4h4OmWUPijuOJexNRKT-Bjzfi_7sPUYQj9EOVRVPb7LBUCG_PUiC1j8TZNepimWzWpy75yYWAZn5iJLfIP00JRhbkt5RI7SXDlECeZZlkXsur0opv5Q7lhAUpR_RBYwEhwFG1vFTulPRzX1EyaQ-_ntmDc7sIQXol4qzEVVk4fP3px5XfQRVxFJvjCElbWGj3GDxj1pvOQyMw5Ygn_6HU_S7 | 22:56:47 |
| hexa | * pol created this uml diagram at some point | 22:56:58 |
| emily | I like the todo :) | 22:57:48 |
| hexa | 🙂 | 22:58:06 |
