| 4 Sep 2025 |
|  atagen changed their profile picture. | 12:04:51 |
|  connor (burnt/out) (UTC-8) changed their display name from connor (he/him) (UTC+1) to connor (he/him) (UTC+2). | 17:03:07 |
| 6 Sep 2025 |
 dish [Fox/It/She] | also checked, our current bootstrap does not build as of latest master commit so we'll see if maybe i can get it to build lol | 00:27:37 |
| dish [Fox/It/She] | good ol gcc build errors | 00:28:23 |
| dish [Fox/It/She] | * good ol gcc build errors 🥴 | 00:33:33 |
|  SomeoneSerge (back on matrix) changed their display name from SomeoneSerge (Ever OOMed by Element) to SomeoneSerge (@nixcon & back on matrix). | 09:25:23 |
| 8 Sep 2025 |
|  Inayet set a profile picture. | 02:16:09 |
 sterni | the terminology distinction between bootstrap tools and bootstrap files is … interesting | 17:48:59 |
| 9 Sep 2025 |
|  ShamrockLee (Yueh-Shun Li) joined the room. | 05:45:38 |
| 10 Sep 2025 |
| SomeoneSerge (back on matrix) changed their display name from SomeoneSerge (@nixcon & back on matrix) to SomeoneSerge (back on matrix). | 00:38:37 |
| connor (burnt/out) (UTC-8) changed their display name from connor (he/him) (UTC+2) to connor (he/him) (UTC-7). | 22:20:29 |
| 11 Sep 2025 |
|  @ihar.hrachyshka:matrix.org joined the room. | 00:08:11 |
| 12 Sep 2025 |
|  Theo Paris left the room. | 01:43:08 |
| 13 Sep 2025 |
|  Lun joined the room. | 16:39:43 |
| 14 Sep 2025 |
|  @emma:rory.gay joined the room. | 08:40:01 |
 ris_ | https://github.com/NixOS/nixpkgs/pull/442945 | 16:47:53 |
 emily | I wonder how this will interact with Darwin / system libc++ | 17:21:54 |
| 15 Sep 2025 |
 Tristan Ross | Would be nice to have others chime in https://github.com/NixOS/nixpkgs/pull/421125 | 18:36:35 |
 Randy Eckenrode | Is this something that the Nixpkgs Architecture team should weigh in on supporting? | 21:36:02 |
| Randy Eckenrode | (Is that even still a thing?) | 21:36:15 |
| Randy Eckenrode | * | 21:36:23 |
| emily | it is not still a thing | 21:41:27 |
| emily | security team should probably weigh in re: the security tracker stuff | 21:42:13 |
| Tristan Ross | I'll forward it to the #security-discuss:nixos.org chat | 21:49:55 |
| Randy Eckenrode | I question its value as it is. I can post my issued in the PR later when I have time. | 22:28:10 |
| Randy Eckenrode | For example, it maps Python packages to the pypi scheme, but it’s not necessarily true that we are providing the same thing that’s on PyPI.
We may apply patches or replace vendored dependencies. IIRC cryptography had a vulnerability in its statically-linked OpenSSL that would be fixed in nixpkgs in by updating or patching OpenSSL.
The other issue is with FOD-based fetchers. There’s no visibility into what Rust crates (fetchCargoVendor) or Node packages (fetchNodeDeps), which actually are (more or less) the unmodified packages.
I assume that would be actually be useful to have, but the problem being solved isn’t well-formulated. It’s just adding a thing someone’s company (presumably) wants.
| 22:34:50 |
| Randy Eckenrode | I want to say that SBOM information should probably be a derivation, but there is still the problem that dependencies are not knowable from Nix. You have to build the package to find out. Also, are build dependencies needed (e.g., to make sure we didn’t use a compiler that inserted malicious code into our package)? | 22:36:22 |
| Tristan Ross | Yeah, the vendoring stuff is kinda odd. Packages would have to have meta information to say whether something is vendored or not. How would you solve the FOD problem? | 22:40:48 |
| Tristan Ross | I think that would depend on whoever wants to consume nixpkgs and have tooling which scans things. | 22:41:17 |
| Randy Eckenrode | If the SBOM info is a derivation, it can be built from the same FOD source using fetchCargoSBOM or whatever is written to support that. Including that as meta information would have storage costs the FODs avoid (e.g., fetchCargoVendor can use the Cargo.toml from the package’s src). | 22:43:54 |
