| 22 Mar 2025 |
 Grimmauld (any/all) | (when explicitly linking it in) | 19:55:11 |
| Grimmauld (any/all) | GOT IT! (i think) | 20:07:20 |
| Grimmauld (any/all) | it was doing weird pkg-config logic internally, which can be overridden if you know the special env var | 20:07:38 |
| Grimmauld (any/all) | oh crap the build is *flaky | 20:19:52 |
| Grimmauld (any/all) | * oh crap the build is flaky now | 20:19:59 |
 emily | can we just find a CVE and slap knownVulnerabilities on it | 20:26:21 |
| emily | nobody should be using decade old disk encryption | 20:26:30 |
| Grimmauld (any/all) | https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ecryptfs
seems some samsung phones were using it in 2018 (and had some security issues too), the more modern issues were in kernel and are resolved. Maybe could try to repro CVE-2016-1572 i guess? that sounds juicy, nice local privesc, severity 8.4 | 20:41:44 |
| Grimmauld (any/all) | though if we do attempt that, should probably move to #security-discuss:nixos.org or #security:nixos.org | 20:44:37 |
| Grimmauld (any/all) | Anyways, build fix is here: https://github.com/NixOS/nixpkgs/pull/392196
it does still bass the nixos tests, so should be fine. | 20:45:58 |
| Grimmauld (any/all) | (this does just disable the openssl module in ecryptfs) | 20:46:13 |
| emily | In reply to @grimmauld:grimmauld.de
(this does just disable the openssl module in ecryptfs) uh, what crypto does it fall back to? | 21:27:30 |
| emily | naive implementations with side channels? | 21:27:40 |
| Grimmauld (any/all) | probably lmfao | 21:28:02 |
| Grimmauld (any/all) | i mean, from the looks of it it never built against openssl anyways | 21:28:31 |
| Grimmauld (any/all) | ossl was not linked in any of the inputs | 21:28:41 |
| Grimmauld (any/all) | https://hydra.nixos.org/build/291812413/nixlog/1
First of, all the patches fail (oh well), but if you ctrl+f/grep for openssl, it'll say it is not found. The breakage came from it pulling ossl from somewhere as of recent staging cycle | 21:34:52 |
| Grimmauld (any/all) | 
Download image.png | 21:34:55 |
| Grimmauld (any/all) | there might be some argument to be made figuring out where tf it pulled openssl from. But just disabling openssl is not a regression. | 21:35:20 |
| emily | I see | 21:36:16 |
| emily | fair enough | 21:36:17 |
| Grimmauld (any/all) | this was last build on hydra trunk from earlier this morning, but checking back in 2016 it was a similar thing | 21:36:55 |
| Grimmauld (any/all) | openssl just never was linked, it seems | 21:37:04 |
| Grimmauld (any/all) | even more reason to find some CVE and slap it. But not today. | 21:37:23 |
| 23 Mar 2025 |
 Tristan Ross | XML-Parser is quite broken due to expat upgrade. Revert is available: https://github.com/NixOS/nixpkgs/pull/392267 | 03:41:05 |
 Randy Eckenrode | nixpkgs had been using OpenSSL 3.0 for a while but switched to track the latest for 25.05 (or was it 24.11?). I don’t know why it’s failing, but could you use openssl_3 instead of openssl? | 12:24:12 |
| Randy Eckenrode | Now that I caught up, I see you opened a PR. I’ll leave that there as informational. | 12:26:57 |
| Grimmauld (any/all) | it never built against ossl in the past. It seems recently something put ossl into passthrough or something, because the autodetect features logic now suddenly found ossl. | 12:27:46 |
| Grimmauld (any/all) | solution was just to disable ossl. | 12:27:54 |
| Grimmauld (any/all) | that restores old behavior, though probably not the secure thing to do - it maybe should have built against ossl years ago. At this point i am happy to fix the build and slap it with knownVulns as soon as anyone has a repro of anything | 12:28:38 |
