!OqhvaDMJdKYUicLDiE:nixos.org

Nixpkgs Stdenv

218 Members
69 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
12 Sep 2025
@creepinson:matrix.org@creepinson:matrix.org left the room.01:43:08
13 Sep 2025
@lt1379:matrix.orgLun joined the room.16:39:43
14 Sep 2025
@emma:rory.gay@emma:rory.gay joined the room.08:40:01
@r_i_s:matrix.orgris_https://github.com/NixOS/nixpkgs/pull/44294516:47:53
@emilazy:matrix.orgemilyI wonder how this will interact with Darwin / system libc++17:21:54
15 Sep 2025
@rosscomputerguy:matrix.orgTristan RossWould be nice to have others chime in https://github.com/NixOS/nixpkgs/pull/42112518:36:35
@reckenrode:matrix.orgRandy EckenrodeIs this something that the Nixpkgs Architecture team should weigh in on supporting?21:36:02
@reckenrode:matrix.orgRandy Eckenrode(Is that even still a thing?)21:36:15
@reckenrode:matrix.orgRandy Eckenrode * 21:36:23
@emilazy:matrix.orgemilyit is not still a thing21:41:27
@emilazy:matrix.orgemilysecurity team should probably weigh in re: the security tracker stuff21:42:13
@rosscomputerguy:matrix.orgTristan Ross I'll forward it to the #security-discuss:nixos.org chat 21:49:55
@reckenrode:matrix.orgRandy Eckenrode I question its value as it is. I can post my issued in the PR later when I have time. 22:28:10
@reckenrode:matrix.orgRandy Eckenrode

For example, it maps Python packages to the pypi scheme, but it’s not necessarily true that we are providing the same thing that’s on PyPI.

We may apply patches or replace vendored dependencies. IIRC cryptography had a vulnerability in its statically-linked OpenSSL that would be fixed in nixpkgs in by updating or patching OpenSSL.

The other issue is with FOD-based fetchers. There’s no visibility into what Rust crates (fetchCargoVendor) or Node packages (fetchNodeDeps), which actually are (more or less) the unmodified packages.

I assume that would be actually be useful to have, but the problem being solved isn’t well-formulated. It’s just adding a thing someone’s company (presumably) wants.

22:34:50
@reckenrode:matrix.orgRandy EckenrodeI want to say that SBOM information should probably be a derivation, but there is still the problem that dependencies are not knowable from Nix. You have to build the package to find out. Also, are build dependencies needed (e.g., to make sure we didn’t use a compiler that inserted malicious code into our package)?22:36:22
@rosscomputerguy:matrix.orgTristan RossYeah, the vendoring stuff is kinda odd. Packages would have to have meta information to say whether something is vendored or not. How would you solve the FOD problem?22:40:48

Show newer messages

Back to Room ListRoom Version: 9