| 16 Jan 2026 |
 Gaétan Lepage | Would you be fine with tanking a protobuf change in staging-next at this time? | 14:14:21 |
 K900 | Probably not | 14:14:46 |
| K900 | How bad is it | 14:14:48 |
| Gaétan Lepage | In terms of rebuilds? A few thousands probably.
In terms of severity, it's not security-related. It fixes a specific issue that we discovered on cudaSupport when updating onnxruntime (https://github.com/NixOS/nixpkgs/pull/450587#discussion_r2698215974).
I can target staging if needed. | 14:17:42 |
| K900 | No, rebuild wise it is a lot more than that | 14:18:59 |
| K900 | I want to know what the impact is | 14:19:06 |
| Gaétan Lepage | For now I targetted staging: https://github.com/NixOS/nixpkgs/pull/480716 | 14:47:09 |
| K900 | glibc security update | 22:15:05 |
| K900 | Practical applicability unlikely but kinda sus | 22:15:15 |
| K900 | Do we scrap | 22:15:18 |
|  tnias joined the room. | 22:24:40 |
 Vladimír Čunát | That would delay the cycle roughly by 4 days currently, I'd estimate. | 22:29:41 |
 Fabián Heredia | In reply to @k900:0upti.me
Practical applicability unlikely but kinda sus Got the CVE/Advisory? | 22:31:13 |
| Fabián Heredia | * Got the CVE/Advisory/Bulletin? | 22:31:35 |
 emily | for an integer overflow issue in a memory allocation function? no | 22:31:59 |
| emily | anything letting untrusted parties pass huge values there is doomed already | 22:32:15 |
| emily | https://matrix.to/#/!ZRgXNaHrdpGqwUnGnj:nixos.org/$_nFYUuPwe8sGpb2iv1WyH1FKc7L_JM6CRRCF9fhPlKg?via=nixos.org&via=matrix.org&via=nixos.dev | 22:32:30 |
| emily | also, this involves allocating an object whose size can't fit in ptrdiff_t? | 22:33:28 |
| emily | that's UB in both LLVM and GCC | 22:33:34 |
| emily | so a security bug in any code that allows user input to trigger it both before and after remediation | 22:33:56 |
| emily | or well, maybe the alignment part makes it subtler here | 22:34:40 |
| emily | giving untrusted input control over alignment is pretty wild already though. unless I'm missing something this feels like nothing | 22:35:14 |
| Fabián Heredia | There are two, that is the first one and the second one is stack leak to a dns resolver | 22:37:35 |
| emily | ah ok I missed that one | 22:37:49 |
| emily | that one is also nothing :) | 22:38:28 |
| Fabián Heredia | Though I would say I don't think those are critical enough to require and inmediate rebuild | 22:38:31 |
 ma27 | fwiw no objections from my side on targeting staging instead of -next. Can retarget the PR tomorrow, I'll go to sleep now. | 22:39:24 |
| K900 | The second one is nothing | 22:39:41 |
| K900 | The first one I may have misread | 22:39:47 |
| K900 | It's almost 2AM | 22:39:51 |
