2 Jul 2024 |
flyx | trying… would be funny, because a reference to another flake did update with that | 18:43:58 |
flyx | nix flake update nixpkgs works longer, but also doesn't update the rev in the lock file | 18:46:02 |
emily | does nix flake update without any parameters make a difference? if not, can you post your flake.nix maybe? | 18:47:04 |
flyx | nix flake update does update other referenced flakes, but not nixpkgs. my flake is a longer business, here's the inputs section:
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
utils.url = "github:numtide/flake-utils";
home-manager = {
url = "github:nix-community/home-manager/release-24.05";
};
colmena = {
url = "github:zhaofengli/colmena/v0.3.2";
inputs.utils.follows = "utils";
};
dsa41heldendokument = {
url = "github:flyx/DSA-4.1-Heldendokument";
inputs.nixpkgs.follows = "nixpkgs";
inputs.utils.follows = "utils";
};
nimyaml = {
url = "github:flyx/NimYAML";
inputs.utils.follows = "utils";
};
nyarna-web = { url = "github:nyarnalang/website"; };
};
| 18:50:06 |
emily | are you sure it's not that there are other nixpkgs inputs in your dependencies that you're not overriding and that aren't getting updated? | 18:51:09 |
emily | often you'll have e.g. nixpkgs_2 etc. in the lock | 18:51:19 |
flyx | ah, that makes sense. yeah, I looked at the wrong nixpkgs , silly. thanks! | 18:56:04 |
flyx | my original problem was that after the update, I wouldn't get a patched OpenSSH on my server, so I tried to figure out why that would be as it should be in nixos-24.05 . the lock file apparently was the wrong place to look for the problem | 18:56:30 |
emily | are you sure it's not patched? | 19:04:44 |
emily | the version wasn't bumped or anything | 19:04:47 |
emily | (yes, this means it's kind of hard to tell whether you're vulnerable, sorry; it was a big rush) | 19:05:07 |
| mewp left the room. | 19:05:12 |
emily | you can check your ssh matches nix path-info github:NixOS/nixpkgs/nixos-24.05#openssh or such | 19:06:11 |
flyx | ah. I was checking for 9.8p1 and my sshd shows 9.7p1 but the path does match. thanks again! | 19:08:49 |
emily | yeah, 9.8p1 is a major release with breaking changes so we used upstream's few-line patches for old versions on stable instead | 19:09:29 |
emily | I imagine this is going to keep coming up though, so maybe we should consider adding some kind of indication | 19:09:47 |
emily | I think upstream does not care about releasing official security fix releases for old versions unfortunately :( | 19:10:17 |
emily | how were you checking, -V output? | 19:10:35 |
flyx | I did systemctl status sshd.service and looked at the nix store path in the last line under CGroup | 19:12:40 |
emily | thanks | 19:21:22 |
emily | so maybe changing the derivation name would have helped | 19:21:27 |
flyx | yeah, that would have been noticeable | 19:22:49 |
3 Jul 2024 |
| -=h0p3=- joined the room. | 03:22:13 |
| @winston:milli.ng left the room. | 13:42:52 |
| zebrag joined the room. | 19:06:19 |
| vandycarlos joined the room. | 19:37:27 |
4 Jul 2024 |
| monadam joined the room. | 00:25:13 |
| @petrichor:envs.net left the room. | 07:48:51 |
| @d:bugpara.de left the room. | 08:47:06 |
| @philiptaron:matrix.org left the room. | 15:46:12 |