| 1 Jul 2026 |
emily | we could perhaps just pick the ones from Rust | 00:36:58 |
emily | Debian seems to be on an older version and has a CVE fix from 2023 too and other patches | 00:37:25 |
emily | perhaps less likely to apply to our version | 00:37:30 |
whispers [& it/fae] | nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. but yeah it seems like they're still on 1.11.1 | 00:38:17 |
whispers [& it/fae] | * nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. it seems like they're also on 1.11.1 | 00:38:37 |
whispers [& it/fae] | just raw pulling the (3 CVE + libssh-unconst-backport.patch) debian patches as-is and applying them builds fine for me (ignoring that pr entirely) | 00:42:25 |
whispers [& it/fae] | some function names are different between the debian patch and the one in #533237, which looks like the cause of patch application failure | 00:43:08 |
hexa | great | 00:47:41 |
hexa | submit it :) | 00:47:45 |
whispers [& it/fae] | https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the unmodified debian patches | 00:47:43 |
whispers [& it/fae] | * https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the patches vendored from debian | 00:47:53 |
emily | looks like https://github.com/rust-lang/cargo/pull/17140/changes/353ce102e892a12a2fa04219ed4a6379c7e5031a avoids the macro backports | 00:48:27 |
emily | but picking the macro backport should be good too / maybe better | 00:48:33 |
emily | you can fetchurl these directly from salsa | 00:49:03 |
emily | other than that LGTM, let's get a PR :) | 00:49:14 |
whispers [& it/fae] | …right, i forgot you didn't need to fetchpatch (which infrecs), will dop | 00:49:47 |
whispers [& it/fae] | * …right, i forgot you didn't need to fetchpatch (which infrecs), will do | 00:49:48 |
emily | yeah if you're fetching patch files vendored inside a repo from a commit-pinned URL fetchurl is fine | 00:51:17 |
emily | since it's not dynamic | 00:51:19 |
hexa | ouch | 00:52:11 |
hexa | that means it it is in the fetchpatch bootstrap chain | 00:52:20 |
hexa | which explains the rebuild count | 00:52:23 |
emily | I wonder why | 00:52:43 |
emily | maybe we can break that | 00:52:57 |
emily | tbh though since it's a Rust rebuild… | 00:53:01 |
hexa | in curl | 00:53:04 |
emily | it'll still be tons | 00:53:05 |
emily | oh, makes sense | 00:53:10 |
hexa | you think? | 00:53:23 |
hexa | I don't think I ever had to fetchpatch over ssh | 00:53:33 |