| 8 Jul 2025 |
 Yureka (she/her) | not saying it shouldn't be done, but the decision to try it the first time shouldn't be taken lightly | 19:03:14 |
 Vladimír Čunát | Just recommendations on discourse, etc. | 19:03:16 |
| Vladimír Čunát | * Just recommendations on discourse so far, etc. | 19:03:24 |
| Vladimír Čunát | * Just recommendations/snippets on discourse so far, etc. | 19:03:34 |
 Grimmauld (any/all) | last time we had comparable was xz, which had replaceDependencies on discourse, no official release of such though | 19:06:25 |
 Fabián Heredia | * Preparing a PR to ugrade git to the suggested version 2.50.1 but unsure, will leave it on top of the merge base of the main branch and staging-next
EDIT: on top of staging-next, there is a git update this cycle | 19:07:04 |
 Alyssa Ross | In reply to @k900:0upti.me
Do we scrap the cycle Now this is a more compelling reason | 19:22:51 |
| Fabián Heredia | * 2.49 → 2.50.0 is on staging-next but not main branch, targetting staging-next
https://github.com/NixOS/nixpkgs/pull/423559
Was dupe, this one was submitted before: https://github.com/NixOS/nixpkgs/pull/423553
| 19:23:02 |
| Alyssa Ross | We're only a few days in, right? | 19:23:11 |
 K900 | We're a lot in tbh | 19:23:20 |
| Alyssa Ross | Oh :( | 19:23:26 |
| K900 | But I don't think it matters really | 19:23:30 |
| Alyssa Ross | I guess the question is what would we be delaying | 19:24:37 |
| Alyssa Ross | Are there any good security updates in the current batch? | 19:24:51 |
| Grimmauld (any/all) | pam? maybe? | 19:25:49 |
| Fabián Heredia | git log origin/master..origin/staging-next --grep CVE
> linux-pam: apply patch for CVE-2025-6020 (#418180)
> A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
> openssl_3_5: 3.5.0 -> 3.5.1
> The most severe CVE fixed in this release is Low.
> libxml2: Apply ABI breaking patch from Chromium needed for libxslt CVE fixes
> openssl_3_5: fix for CVE-2025-4575
> Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use.
| 19:28:06 |
| Fabián Heredia | These are the 4 I could find, most severe seems to be pam | 19:28:08 |
| Fabián Heredia | Also
libxslt: Fix three security issues (#418055)
| 19:28:48 |
| Alyssa Ross | Would there be any sense merging now, and then restarting? | 19:29:34 |
| Alyssa Ross | Would presumably be less bad than sending an update straight to master, and still accelerate getting git update out? | 19:30:06 |
| Fabián Heredia | libxslt ones issues seems to have been hidden/removed, could still be under embargo | 19:30:50 |
| Fabián Heredia | * libxslt issues seems to have been hidden/removed, could still be under embargo | 19:31:50 |
|  Fred Lahde joined the room. | 19:43:14 |
| Fabián Heredia | I don't think the git update can go straight to the main branch, it is a mass rebuild. So the options would be staging-next or staging.
Regarding that there are still some pending fixes on staging-next so I don't think the overall cycle would be delayed much more vs merging the git update into staging. (But a lot of rebuilds would be incured) | 19:44:23 |
| Fabián Heredia | We are currently 4 days into this staging-next cycle | 19:44:47 |
| Fabián Heredia | 
Download image.png | 19:47:07 |
| Fabián Heredia | Jobs wise it is about 3/5ths builds done | 19:47:13 |
| Fabián Heredia | vcunat are you inclined / prefer staging-next or staging for this git security update? | 19:50:07 |
| Vladimír Čunát |
Rebuild: linux 44750, darwin 29576
| 19:51:05 |
| Vladimír Čunát | That's most builds. | 19:51:11 |
