| 8 Jul 2025 |
 emily | whatever we do for gitMinimal doesn't stop us doing something now for the others | 20:12:11 |
 Fabián Heredia | And PoC is with tools which might remain with the vulnerable version (eg, github desktop) which do use the vulnerable git clone with recurse-submodules path. | 20:14:45 |
| Fabián Heredia | ah nvm, that one isn't packaged in nixpkgs | 20:17:02 |
| Fabián Heredia | oh no wait, it is github-desktop | 20:17:26 |
| Fabián Heredia | https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/gi/github-desktop/package.nix | 20:17:47 |
| emily | right. but we can still do whatever we would do to patch gitMinimal | 20:20:16 |
| emily | while still fixing git and gitFull | 20:20:21 |
| emily | I guess, let's put it this way | 20:20:33 |
| emily | if we could fix git and gitFull in secret and not tell anyone, it would obviously be a good thing, right? | 20:20:46 |
| emily | people would be strictly less exposed | 20:20:51 |
| emily | the only problem here is around messaging and I think it's easier to solve messaging than someone getting owned | 20:21:07 |
| Fabián Heredia | Yeah, not requiring user intervention | 20:21:08 |
| emily | right, so we don't even have to tell people hey update now | 20:21:23 |
| emily | we can do the fix and bump the channels and work on the bigger rebuilds and publish an advisory after and it'd still be better, I think. | 20:21:40 |
 Alyssa Ross | In reply to @fabianhjr:matrix.org
I don't think the git update can go straight to the main branch, it is a mass rebuild. So the options would be staging-next or staging.
Regarding that there are still some pending fixes on staging-next so I don't think the overall cycle would be delayed much more vs merging the git update into staging. (But a lot of rebuilds would be incured) What I meant was what if we merge the 3/5 done staging-next to master, then go straight into another staging-next | 20:22:22 |
| Fabián Heredia | oh, yeah i like that option | 20:22:46 |
| Alyssa Ross | But I like the idea of fixing the other gits first. Could do both. | 20:23:14 |
| Fabián Heredia | There is still some breakage on staging-next but seems minor; I'm currently running my system on staging-next (gnome desktop) | 20:24:07 |
 vcunat | Just trying CI on this git draft for now:
https://github.com/NixOS/nixpkgs/pull/423603 | 20:24:59 |
| Alyssa Ross | In reply to @fabianhjr:matrix.org
There is still some breakage on staging-next but seems minor; I'm currently running my system on staging-next (gnome desktop) As long as the channel blockers are okay those don't need to be fixed in staging-next | 20:25:29 |
| vcunat | * Just trying CI on this git draft for now:
https://github.com/NixOS/nixpkgs/pull/423603
(I don't feel strongly about all this.) | 20:25:34 |
| Fabián Heredia |
Changed packages (44709)
CI says about the same rebuilds vcunat unu
| 20:40:11 |
| emily | (probably means stuff is bringing in git that shouldn't be…) | 20:54:37 |
 Grimmauld (any/all) | python3 hatch-vcs and poetry (3.13 and 3.12) | 21:09:36 |
| Grimmauld (any/all) | thats ~25k of the ~29k rebuilds, but obviously dropping those two doesn't drop all 25k rebuilds because some packages are "hidden" if they depend on hatch/poetry and thus don't cause extra rebuilds | 21:13:39 |
| Fabián Heredia | That would be the same for doing the plain git update? ( https://matrix.to/#/!UNVBThoJtlIiVwiDjU:nixos.org/$ZC0uUP9TeZsTvSqEFx6BLC0R2s1wDtuw_GOKQ43gyFc?via=nixos.org&via=matrix.org&via=tchncs.de ) | 21:15:35 |
| Grimmauld (any/all) | yep | 21:22:11 |
| Grimmauld (any/all) | we can't really fix hatch/poetry without also eating that rebuild, at which point it doesn't matter for the speed at which we can push out git itself | 21:22:45 |
| Grimmauld (any/all) | diff --git a/pkgs/development/python-modules/hatch-vcs/default.nix b/pkgs/development/python-modules/hatch-vcs/default.nix
index 3592cbf86d80..1810472ea583 100644
--- a/pkgs/development/python-modules/hatch-vcs/default.nix
+++ b/pkgs/development/python-modules/hatch-vcs/default.nix
@@ -4,7 +4,7 @@
fetchPypi,
pytestCheckHook,
pythonOlder,
- git,
+ gitMinimal,
hatchling,
setuptools-scm,
}:
@@ -30,7 +30,7 @@ buildPythonPackage rec {
];
nativeCheckInputs = [
- git
+ gitMinimal
pytestCheckHook
];
diff --git a/pkgs/development/python-modules/poetry-core/default.nix b/pkgs/development/python-modules/poetry-core/default.nix
index e5a62637975a..0d9a5c4ecdee 100644
--- a/pkgs/development/python-modules/poetry-core/default.nix
+++ b/pkgs/development/python-modules/poetry-core/default.nix
@@ -5,7 +5,7 @@
fetchFromGitHub,
pythonOlder,
build,
- git,
+ gitMinimal,
pytest-cov-stub,
pytest-mock,
pytestCheckHook,
@@ -31,7 +31,7 @@ buildPythonPackage rec {
nativeCheckInputs = [
build
- git
+ gitMinimal
pytest-mock
pytest-cov-stub
pytestCheckHook
currently checking how many rebuilds after that, but i am aware it doesn't help us for this currently.
| 21:33:04 |
| Grimmauld (any/all) | Okay with that its down to ~15k rebuilds on git, likely would want to do meson-python too and then it'd be acceptable | 21:41:26 |
