| 16 Jan 2026 |
 Gaétan Lepage | In terms of rebuilds? A few thousands probably.
In terms of severity, it's not security-related. It fixes a specific issue that we discovered on cudaSupport when updating onnxruntime (https://github.com/NixOS/nixpkgs/pull/450587#discussion_r2698215974).
I can target staging if needed. | 14:17:42 |
 K900 | No, rebuild wise it is a lot more than that | 14:18:59 |
| K900 | I want to know what the impact is | 14:19:06 |
| Gaétan Lepage | For now I targetted staging: https://github.com/NixOS/nixpkgs/pull/480716 | 14:47:09 |
| K900 | glibc security update | 22:15:05 |
| K900 | Practical applicability unlikely but kinda sus | 22:15:15 |
| K900 | Do we scrap | 22:15:18 |
|  tnias joined the room. | 22:24:40 |
 Vladimír Čunát | That would delay the cycle roughly by 4 days currently, I'd estimate. | 22:29:41 |
 Fabián Heredia | In reply to @k900:0upti.me
Practical applicability unlikely but kinda sus Got the CVE/Advisory? | 22:31:13 |
| Fabián Heredia | * Got the CVE/Advisory/Bulletin? | 22:31:35 |
 emily | for an integer overflow issue in a memory allocation function? no | 22:31:59 |
| emily | anything letting untrusted parties pass huge values there is doomed already | 22:32:15 |
| emily | https://matrix.to/#/!ZRgXNaHrdpGqwUnGnj:nixos.org/$_nFYUuPwe8sGpb2iv1WyH1FKc7L_JM6CRRCF9fhPlKg?via=nixos.org&via=matrix.org&via=nixos.dev | 22:32:30 |
| emily | also, this involves allocating an object whose size can't fit in ptrdiff_t? | 22:33:28 |
| emily | that's UB in both LLVM and GCC | 22:33:34 |
| emily | so a security bug in any code that allows user input to trigger it both before and after remediation | 22:33:56 |
| emily | or well, maybe the alignment part makes it subtler here | 22:34:40 |
| emily | giving untrusted input control over alignment is pretty wild already though. unless I'm missing something this feels like nothing | 22:35:14 |
| Fabián Heredia | There are two, that is the first one and the second one is stack leak to a dns resolver | 22:37:35 |
| emily | ah ok I missed that one | 22:37:49 |
| emily | that one is also nothing :) | 22:38:28 |
| Fabián Heredia | Though I would say I don't think those are critical enough to require and inmediate rebuild | 22:38:31 |
 ma27 | fwiw no objections from my side on targeting staging instead of -next. Can retarget the PR tomorrow, I'll go to sleep now. | 22:39:24 |
| K900 | The second one is nothing | 22:39:41 |
| K900 | The first one I may have misread | 22:39:47 |
| K900 | It's almost 2AM | 22:39:51 |
| emily | yeah heap overflow in a case that is maybe compiler UB regardless and I'm any case involves giving attackers crazy levels of control of memory allocation, plus uncommon calls leaking small amounts of stack to DNS server = I sleep | 22:40:41 |
| emily | I'd expect -next contains juicier fixes already | 22:41:40 |
| 17 Jan 2026 |
 Sergei Zimmerman (xokdvium) | There's a slight include messup with cppnix 2.33 and glibc 2.42. I should send that to staging-next now? https://github.com/NixOS/nix/pull/15011 | 18:45:42 |
