| 15 Feb 2026 |
 emily | it seems like the same kind of reproducibility-load-bearing logic that makes us reject new complex FOD dep fetchers... maintaining an old zlib forever doesn't sound fun | 15:54:14 |
| emily | we've had to patch Chromium vendored zlibs for new compilers | 15:54:37 |
| emily | the fetchCargoVendor solution is to split the fetcher FOD and the input-addressed derivation that arranges it into the format Cargo accepts, is that not viable here? | 15:57:02 |
| emily | I guess we still might need the old zlib in that drv | 15:57:19 |
| emily | it's sort of only "nice to have" to check downloads against the lock file though if we have our own hash in Nixpkgs pinning it though right? | 15:58:24 |
| emily | (but admittedly introduces another TOFU step) | 15:58:37 |
 Randy Eckenrode | I have a fix: https://github.com/NixOS/nixpkgs/pull/490757. | 17:16:24 |
| Randy Eckenrode | Do I need to target staging-next? | 17:16:59 |
 Vladimír Čunát | Yes, please. | 17:17:41 |
| Vladimír Čunát | The issue plagues staging-next already. | 17:17:51 |
| Randy Eckenrode | I retargeted staging-next. | 17:20:12 |
| Randy Eckenrode | The only issue is Linux. I didn’t do the patches conditionally. Are we okay on Linux rebuilds currently, or do I need to make these conditional? | 17:20:42 |
| emily | should probably conditionalize and revert on staging | 17:28:34 |
| emily | (maybe I should put up my radical proposal to eliminate master-staging merge conflicts and get rid of the "guarded change + revert on staging" medium...) | 17:35:32 |
| emily | * | 17:35:38 |
| Vladimír Čunát | How would you get rid of that? | 17:40:50 |
| Vladimír Čunát | (without increasing rebuild amount in situations like we have with git now) | 17:41:07 |
|  matthewcroughan changed their display name from matthewcroughan @fosdem to matthewcroughan. | 17:55:53 |
| emily | well, I have ideas that are varying degrees of radical 😅 there are lots of ways we could get rid of the manual merge conflict resolution dance but the one that would streamline the -next rebuild avoidance dance looks like:
we only have one true branch (per release), master, and we conditionalize big rebuilds with feature flags conditionals like version = if ... stage... then "3.0" else "2.1";. preparing a new -next is just increasing the "epoch" past all currently staged changes. (could also make it a bit easier for us to say "uh, big security fix, let's roll a cycle without this risky stuff")
to do clean-up and reduce the tedium of authoring changes, we have a script that automatically adds these conditionals in a separate commit on top of your "staging-based" commit. merge queue checks you didn't break eval on any epoch and that the staging commits don't cause rebuilds at the relevant epoch. then -next/staging branches just undo those staging commits so you have base for changes and we merge them in for clean-up once a cycle completes. you only have to do manual "conflict resolution" when there's a genuine divergence between the branches and the script can't automatically do it, and it happens in the relevant PRs.
so here you'd add the patch, the script would add the conditionals, and staging vs. -next would just be a question of what epoch you assign it to. you can always see from master when there's changes in-flight, and clean-up happens automatically
| 18:02:03 |
| emily | this is also a lot more auditable than our current manual merges because we can treat the staging commits like the cherry-pick CI and flag them up when they're doing something non-automatic | 18:04:34 |
| Vladimír Čunát |
should probably conditionalize and revert on staging
Conditionalized.
| 18:07:43 |
| Vladimír Čunát | *
[git PR] should probably conditionalize and revert on staging
Conditionalized.
| 18:07:56 |
| Vladimír Čunát | [radical] I see (on a very high level at least). At a glance I'm a bit worried that some changes would be more difficult to write. And adding conditionals can cause unpleasant diffs because of force-formatting. | 18:12:53 |
| Vladimír Čunát | Nice for simple version bumps probably, though. | 18:13:48 |
 Grimmauld (any/all) | compression libs do get quite some CVEs for random shit. We call our package sources "trusted", because they are pinned by a hash - a luxury we can not afford before calculating the hash. If hashing itself is an unsafe operation, then things are wrong. And thus i have my doubts about pinned zlib... | 18:15:40 |
 K900 | I mean | 18:16:19 |
| K900 | This is what Yarn upstream does | 18:16:22 |
| K900 | The only other option is regenerate all lockfiles | 18:16:28 |
| K900 | But sigh | 18:16:32 |
| Vladimír Čunát | At that point we just mark these fetches as insecure? 😅 | 18:17:37 |
