| 13 Jul 2023 |
 j-k | I was very excited when it was announced. I was fed up of explaining no this critical k8s vuln doesn't affect my linter that transitively imports k8s stuff. pretty much every single week. | 15:57:42 |
 @qbit:tapenet.org | heh | 15:58:30 |
| @qbit:tapenet.org | i have been using it for a bit now, it seems to do a really good job | 15:58:48 |
| @qbit:tapenet.org | really low false positive rate (not sure i have seen one.. ) | 15:59:07 |
| j-k | I'm surprised they didn't bump the modules for 1.0.0, I doubt none of these have updated since | 15:59:52 |
| @qbit:tapenet.org | oh, hah - i didn't even notice the vendorHash didn't change | 16:02:47 |
| @qbit:tapenet.org | https://github.com/golang/vuln/compare/v0.2.0...v1.0.0.patch i had to double check (make sure i didn't mess up :D) | 16:05:48 |
| @qbit:tapenet.org | (also ... and .diff/.patch are one of my fav features of gh) | 16:06:39 |
 @eyjhb:eyjhb.dk | Whops https://pkg.go.dev/vuln/GO-2023-1878 | 18:09:03 |
| @eyjhb:eyjhb.dk | Found in my code | 18:09:06 |
| 15 Jul 2023 |
|  @jarkad:tchncs.de joined the room. | 19:27:28 |
| 18 Jul 2023 |
|  kirillrdy set a profile picture. | 12:22:39 |
| 22 Jul 2023 |
| @jarkad:tchncs.de left the room. | 02:13:30 |
| 23 Jul 2023 |
|  vcunat joined the room. | 11:52:46 |
 Artturin | https://github.com/NixOS/nixpkgs/pull/242905#issuecomment-1646877937 | 16:17:05 |
| Artturin | the last message from go mod vendor is
k2tf> go: replacement path ./vendor/k8s.io/cli-runtime/pkg/kustomize/k8sdeps/transformer inside vendor directory
| 16:19:10 |
| Artturin | tinygo.goModules
error: illegal path references in fixed-output derivation '/nix/store/06v7rn03bgsnzvv89dn8i2a6kap1fijl-tinygo-0.26.0-goModules.drv'
| 16:28:47 |
| Artturin | These modules built correctly on older go versions but not on newer go versions | 16:29:11 |
| Artturin | How can vendoring break version to version, Go damn | 16:29:49 |
| Artturin | * How can vendoring break in multiple ways version to version, Go damn | 16:30:43 |
| @qbit:tapenet.org | Is there a rewrite in the go.mod? | 17:17:55 |
|  @atalii:matrix.org joined the room. | 17:58:44 |
| @atalii:matrix.org | is it okay if i ask a quick question about buildGoModule here? i'm reading through the sourcue to get an idea of how to handle deps for a different language and build system, and it seems that the buildPhase of buildGoModule calls go mod vendor or go mod package. that seems to require the network, but it also seems to work in the sandbox. would anyone be able to tell me what i'm missing here? thanks :) | 18:00:56 |
| @qbit:tapenet.org | the vendor stuff gets put in to its own derivation which gets linked in at build | 18:26:51 |
| @qbit:tapenet.org | also go will print out "downloading..." even though it's using the vendor'd stuff | 18:27:05 |
| @qbit:tapenet.org | https://github.com/qowoz/nixpkgs/blob/master/pkgs/build-support/go/module.nix#L55 | 18:27:06 |
| @atalii:matrix.org | Okay - I think I'm misunderstanding quite a bit, then. where does the builder fetch the sources to vendor? | 18:30:40 |
| @qbit:tapenet.org | it's part of the main derivation, if you set vendorHash = ""; it will rebuild the ${name}-go-modules stuff | 18:33:29 |
| @qbit:tapenet.org | are you getting an error ? | 18:33:43 |
| @atalii:matrix.org | no; just trying to understand the build process so i can do something like it for a different language. my understanding is that first go-modules is built, which runs go mod vendor or go mod download, and that output is then linked into the main derivation? | 18:35:21 |
