| 8 Jul 2025 |
 vcunat | * That's majority of all builds. | 19:51:21 |
| vcunat | So if you want it earlier, I'd say whole staging into staging-next, probably. | 19:52:02 |
| vcunat | But it's a tradeoff. You delay some security fixes and speed up other ones. | 19:52:17 |
 K900 | The git one is badf | 19:53:02 |
| K900 | * The git one is bad | 19:53:03 |
| K900 | The other ones we have are less bad | 19:53:08 |
| vcunat | I wonder if we could patch just gitFull for now and not gitMinimal. | 19:54:35 |
| vcunat | * I wonder if we could patch just git + gitFull for now and not gitMinimal. | 19:55:15 |
| vcunat | Or something like that to make it cheaper in the first iteration. | 19:55:30 |
| K900 | I don't like that because it makes it REALLY hard to know if you're patched | 19:55:46 |
 Fabián Heredia | Would probably require a split/refactor of the git package | 19:55:48 |
| K900 | Because your patchedness will depend on the exact git you're using | 19:55:59 |
| vcunat | Yes. | 19:56:11 |
| vcunat | But that's just for the meantime. | 19:56:19 |
| vcunat | Either you know that you're NOT patched. | 19:56:26 |
| vcunat | Or if we do this, you may not be sure. | 19:56:38 |
| vcunat | Even if Hydra weren't doing anything else, this on two branches is at least a full week of rebuilding. | 19:57:47 |
| Fabián Heredia | Regarding staging, there aren't many commits on staging not on staging-next so I would be inclined to that option | 19:57:50 |
| Fabián Heredia | fabian@fabian-desktop ~/D/O/n/main (push-lquyvunoutlx)> git diff origin/staging-next..origin/staging --stat
pkgs/build-support/setup-hooks/patch-shebangs.sh | 48 ++++++++++++++++++++----------------------------
pkgs/by-name/fo/fontforge/package.nix | 2 --
pkgs/by-name/ke/kexec-tools/package.nix | 5 +++++
pkgs/by-name/li/libogg/package.nix | 4 ++--
pkgs/by-name/md/mdns-scanner/package.nix | 6 +++---
pkgs/by-name/ps/psqlodbc/package.nix | 4 ++--
pkgs/development/libraries/gettext/default.nix | 1 +
pkgs/development/libraries/gettext/memory-safety.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++
pkgs/development/libraries/gstreamer/bad/default.nix | 10 ++++++++--
pkgs/development/libraries/sqlite/default.nix | 6 +++---
pkgs/development/libraries/sqlite/tools.nix | 4 ++--
pkgs/development/libraries/wayland/default.nix | 4 ++--
pkgs/development/python-modules/certifi/default.nix | 8 ++++----
pkgs/development/python-modules/certifi/env.patch | 40 +++-------------------------------------
pkgs/development/python-modules/pyasynchat/default.nix | 2 ++
pkgs/development/tools/build-managers/rebar3/default.nix | 3 ---
pkgs/os-specific/linux/v4l-utils/default.nix | 25 ++++++++++++++++++-------
pkgs/os-specific/linux/v4l-utils/musl.patch | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
pkgs/test/stdenv/patch-shebangs.nix | 39 +++++++++++++++++++++++++++++++++++++++
| 19:58:00 |
| K900 | We do have the patchShebangs fixes | 20:00:19 |
| Fabián Heredia | wayland: 1.23.1 -> 1.24.0
gst_all_1.gst-plugins-bad: Only enable ldacbt and webrtc-audio-processing_1 when supported
v4l-utils: fix build for musl
gettext: backport upstream memory safety fix
Revert "rebar3: don't patchShebangs"
patch-shebangs: fix binary data corrupt after patching
kexec-tools: fix static build
python313Packages.certifi: 2025.4.26 -> 2025.6.15 (#420216)
fontforge: remove unused uthash dependency
psqlodbc: 17.00.0002 -> 17.00.0006
sqlite, sqlite-analyzer: 3.50.1 -> 3.50.2
python3Packages.pyasynchat: fix build on sandboxed Darwin
mdns-scanner: 0.16.1 -> 0.17.1
libogg: 1.3.5 -> 1.3.6
| 20:00:54 |
 emily | I am sympathetic to ^ | 20:04:47 |
| emily | we can publish a clear advisory to switch away from gitMinimal in user environments, or even a replaceDependencies suggestion for it | 20:05:07 |
| emily | we can also point to vulnix | 20:05:31 |
| emily | there are some dodgy things though. like NixOS services using gitMinimal | 20:06:18 |
| Fabián Heredia | * Regarding staging, there aren't many commits on staging not on staging-next so I would be inclined for the get everything on staging into staging-next option | 20:07:16 |
 leona | especially also things like github-runner 🫠 | 20:07:26 |
| leona | (i hope they only really clone in the docker...) | 20:07:40 |
| emily | still, if we ignore user support burden there's no way landing fixes to git and gitFull early is worse, right? | 20:11:45 |
| emily | like, confusion vs. RCE | 20:11:53 |
