| 10 Oct 2024 |
 emily | actually I don't know how to do that while eval is in progress | 00:08:50 |
|  @cf11:0x2c.org left the room. | 05:03:51 |
 f0x | hmm, it seems like the firefox -bin packages aren't updated yet? | 10:58:46 |
 hexa | wdym updated? | 10:59:45 |
| hexa | they were merged 18 hours ago, we're probably just waiting for hydra, as always | 11:00:02 |
| hexa | they are in the latest channel bump for nixos-24.05 for example | 11:02:10 |
| hexa | not sure why the pr tracker claims otherwise | 11:02:25 |
| hexa | 
Download image.png | 11:02:27 |
| hexa | cc Alyssa Ross | 11:02:49 |
| hexa | https://nixpk.gs/pr-tracker.html?pr=347540 | 11:02:59 |
 vcunat | I think it moved around 2h ago. | 11:03:31 |
| vcunat | * I think the channel moved around 2h ago. | 11:03:37 |
| hexa | yeah | 11:03:38 |
| vcunat | Sounds too long for caching here. | 11:04:05 |
| f0x | ah, I noticed it on search.nixos.org, so probably just hydra then? | 11:06:19 |
| hexa | 
Download image.png | 11:06:56 |
| f0x | oh I got confused by the differences in versions across releases, it's just firefox-devedition-bin that's still on 131.0b9 | 11:09:11 |
| hexa | oh, we have those as well? sigh | 11:09:34 |
| hexa | I didn't know | 11:09:49 |
|  p4cmanus3r joined the room. | 13:26:30 |
 Alyssa Ross | In reply to @hexa:lossy.network
cc Alyssa Ross fixed | 16:03:52 |
| Alyssa Ross | (thanks for telling me) | 16:04:30 |
| Alyssa Ross | performance will be degraged for approximately three hours while it recovers | 16:06:29 |
| Alyssa Ross | (the yellow question mark btw means that checking that branch failed, which usually means something has gone wrong on the backend) | 16:10:19 |
| 11 Oct 2024 |
|  tollb1 joined the room. | 13:21:06 |
| 12 Oct 2024 |
 ElvishJerricco | Jan Tojnar, emily: So what do we want to do about the gdm-autologin LUKS exfiltration thing? I have a working demo of the problem. | 17:35:53 |
| emily | we should decide on a fix for ourselves and write up an advisory of the vulnerability and send it to oss-security, cc'ing the arch security team, probably requesting a CVE too however that's done | 17:36:46 |
| ElvishJerricco | It's worth noting that it's a very niche problem, in the sense that the autologin'd user is almost certainly owned by the same human being who just entered the LUKS password in the first place. | 17:37:05 |
| ElvishJerricco | but yea I don't think that will affect the severity rating of it | 17:37:18 |
| emily | there are still viable threat models & niche security vulnerabilities should still be reported | 17:37:27 |
