 | Nixpkgs Stdenv | 212 Members |
| 67 Servers |
| Nixpkgs Stdenv | 212 Members |
| 67 Servers |
| Sender | Message | Time |
|---|---|---|
| 15 Sep 2025 | ||
 Randy Eckenrode | For example, it maps Python packages to the We may apply patches or replace vendored dependencies. IIRC cryptography had a vulnerability in its statically-linked OpenSSL that would be fixed in nixpkgs in by updating or patching OpenSSL. The other issue is with FOD-based fetchers. There’s no visibility into what Rust crates ( I assume that would be actually be useful to have, but the problem being solved isn’t well-formulated. It’s just adding a thing someone’s company (presumably) wants. | 22:34:50 |
| Randy Eckenrode | I want to say that SBOM information should probably be a derivation, but there is still the problem that dependencies are not knowable from Nix. You have to build the package to find out. Also, are build dependencies needed (e.g., to make sure we didn’t use a compiler that inserted malicious code into our package)? | 22:36:22 |
 Tristan Ross | Yeah, the vendoring stuff is kinda odd. Packages would have to have meta information to say whether something is vendored or not. How would you solve the FOD problem? | 22:40:48 |
| Tristan Ross | I think that would depend on whoever wants to consume nixpkgs and have tooling which scans things. | 22:41:17 |
| Randy Eckenrode | If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:43:54 |
| Randy Eckenrode | * If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs can avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:44:42 |
| Tristan Ross | That sounds good, can't really comment on it since idk much about SBOM's and security things. | 22:47:31 |
| Randy Eckenrode | I assume that’s the goal, but I don’t actually know based on the PR’s description. | 22:52:24 |
| Tristan Ross | Yeah, I think it's a decent start at least | 22:52:51 |
| Tristan Ross | At where I work, there's a good change we be needing it so I might be able to work on expanding it after this PR. | 22:54:14 |
| Randy Eckenrode | To simplify down my concern, it’s about maintenance burden. If companies are going to use this for supply chain purposes, are we at risk of getting a bunch of ‘my company’s vulnerability scanner says this package has a CVE’ issues that may actually be fixed in nixpkgs? | 22:54:39 |
| Tristan Ross | I'd like for the CVE stuff to go through review of the security team | 22:55:13 |
| Tristan Ross | Whether that's this or a company trying to upstream a fix. | 22:55:31 |
| 16 Sep 2025 | ||
 rosssmyth | SBOM stuff is generally falling of companies trying to comply with the EU's CRA. When I read the CRA I don't remember there being specific requirements for the SBOM, but once EU states start implementing it there might be. | 16:08:28 |
| rosssmyth | * SBOM stuff is generally falling out of of companies trying to comply with the EU's CRA. When I read the CRA I don't remember there being specific requirements for the SBOM, but once EU states start implementing it there might be. | 16:11:31 |
 Alyssa Ross | SBOM was actually mostly driven by USG after Solarwinds, as I recall… | 16:11:38 |
| rosssmyth | I see, I don't interact with that space so I wouldn't know. | 16:12:42 |
| Alyssa Ross | I don't either, I just know that I'd heard of SBOMs long before I'd heard of the CRA, and been asked for one for the first time before the CRA was even proposed. | 16:13:06 |
| 22 Sep 2025 | ||
 Philip Taron (UTC-8) | For https://github.com/NixOS/nixpkgs/issues/444721, I don't believe that there's anything to report under stdenv. | 18:38:33 |
| Tristan Ross | Yeah, we're good for now I believe | 18:46:48 |
| 23 Sep 2025 | ||
 kenji changed their display name from a-kenji to kenji. | 10:42:49 | |
| 30 Sep 2025 | ||
 dish [Fox/It/She] | Howdy stdenv folks. Progress on the minimal-bootstrap is going okay, but I'm hitting an error(which I'm pretty sure is the same one that the current minimal bootstrap hits) and I'm having issues getting it solved. Current branch with all of my work is https://github.com/pyrox0/nixpkgs/tree/bump/minimal-bootstrap , any help or suggestions on how to resolve this would be helpful. I'll post the tail of my build logs here in a second so that you can see the logs too. | 15:21:07 |
| dish [Fox/It/She] | Download gcc-4.6.4.log | 15:23:25 |
| dish [Fox/It/She] | the issue is on line 103 of the log | 15:23:37 |
 17lifers (at mikuplushfarm) joined the room. | 16:05:33 | |
| 17lifers (at mikuplushfarm) left the room. | 18:41:39 | |
| 1 Oct 2025 | ||
 frontear | I've been trying to compile a C program that uses a few random libs and headers from some packages, which I've correctly declared in Keep in mind this project has no Makefile or CMakeFiles, it's just a bunch of *.h and *.cpp files from an instructor, hence why I need to manually run compilation commands. I'm able to get it to compile by writing the flags myself, but I'm a little confused as to why this isn't working OOTB like the Nixpkgs manual suggests. Is there something I'm missing? | 01:01:28 |
| frontear | * I've been trying to compile a C program that uses a few random libs and headers from some packages, which I've correctly declared in Keep in mind this project has no Makefile or CMakeFiles, it's just a bunch of *.h and *.cpp files from an instructor, hence why I need to manually run compilation commands. I'm able to get it to compile by writing the flags myself, but I'm a little confused as to why this isn't working OOTB like the Nixpkgs manual suggests. Is there something I'm missing? I did check both aforementioned environment variables and they do seem to be populated, so I'm confused. | 01:02:21 |
| rosssmyth | NIX_CFLAGS_COMPILE doesn't do that everything automatically. It's mainly for stdlib stuff. You still need to provide the -I and -L flags for your build inputs, possibly using pkg-config if they supply it. | 03:46:41 |
| frontear | hm I see, I guess what also confused me was seeing that both NIX_CFLAGS_COMPILE and NIX_LDFLAGS were populated with the correct flags to include all the headers and libs respectively, for all of my declared build inputs. That, and the explanation in the Nixpkgs manual suggested that these flags were populated by the stdenv and were used by the CC wrapper and LD wrapper respectively. | 03:58:01 |