10 Oct 2024 |
f0x | hmm, it seems like the firefox -bin packages aren't updated yet? | 10:58:46 |
hexa | wdym updated? | 10:59:45 |
hexa | they were merged 18 hours ago, we're probably just waiting for hydra, as always | 11:00:02 |
hexa | they are in the latest channel bump for nixos-24.05 for example | 11:02:10 |
hexa | not sure why the pr tracker claims otherwise | 11:02:25 |
hexa | Download image.png | 11:02:27 |
hexa | cc Alyssa Ross | 11:02:49 |
hexa | https://nixpk.gs/pr-tracker.html?pr=347540 | 11:02:59 |
vcunat | I think it moved around 2h ago. | 11:03:31 |
vcunat | * I think the channel moved around 2h ago. | 11:03:37 |
hexa | yeah | 11:03:38 |
vcunat | Sounds too long for caching here. | 11:04:05 |
f0x | ah, I noticed it on search.nixos.org, so probably just hydra then? | 11:06:19 |
hexa | Download image.png | 11:06:56 |
f0x | oh I got confused by the differences in versions across releases, it's just firefox-devedition-bin that's still on 131.0b9 | 11:09:11 |
hexa | oh, we have those as well? sigh | 11:09:34 |
hexa | I didn't know | 11:09:49 |
| p4cmanus3r joined the room. | 13:26:30 |
Alyssa Ross | In reply to @hexa:lossy.network cc Alyssa Ross fixed | 16:03:52 |
Alyssa Ross | (thanks for telling me) | 16:04:30 |
Alyssa Ross | performance will be degraged for approximately three hours while it recovers | 16:06:29 |
Alyssa Ross | (the yellow question mark btw means that checking that branch failed, which usually means something has gone wrong on the backend) | 16:10:19 |
11 Oct 2024 |
| tollb1 joined the room. | 13:21:06 |
12 Oct 2024 |
ElvishJerricco | Jan Tojnar, emily: So what do we want to do about the gdm-autologin LUKS exfiltration thing? I have a working demo of the problem. | 17:35:53 |
emily | we should decide on a fix for ourselves and write up an advisory of the vulnerability and send it to oss-security, cc'ing the arch security team, probably requesting a CVE too however that's done | 17:36:46 |
ElvishJerricco | It's worth noting that it's a very niche problem, in the sense that the autologin'd user is almost certainly owned by the same human being who just entered the LUKS password in the first place. | 17:37:05 |
ElvishJerricco | but yea I don't think that will affect the severity rating of it | 17:37:18 |
emily | there are still viable threat models & niche security vulnerabilities should still be reported | 17:37:27 |
emily | i think the CVSS probably won't be too bad but we can brainstorm it here | 17:37:34 |
emily | I might not be able to do too much today but if you start drafting up an advisory I can probably help tomorrow | 17:37:49 |