| 1 Jul 2026 |
hexa | annoying | 00:02:23 |
emily | it does give us the chance to pick up Rust 1.96.1 if we do it, since that was rushed out to ship both the libssh2 fixes and fix a miscompilation bug, though AFAICT the miscompilation bug isn't bad enough to be worth the rebuilds unless we're eating them anyway because of libssh2 | 00:03:35 |
emily | we are sufficiently ahead of schedule that it feels like it might be worth eating the rebuilds rather than shipping an RCE for weeks on unstable, but don't feel confident enough to make the call myself. worried about a call not happening until it's throwing away even more builds / delaying things longer though | 00:05:02 |
hexa | let's just do it | 00:07:31 |
hexa | it's not the stdenv | 00:07:37 |
hexa | it will be highly parallel | 00:07:44 |
hexa | darwin looks idle right now | 00:07:49 |
hexa | linux does 35k/25k steps per day | 00:08:06 |
hexa | so probably a two day delay | 00:08:25 |
hexa | the earlier the changes can be landed the better | 00:08:40 |
emily | not sure if I will have the time tonight to prepare a PR that picks the patches, the current one bumps to an unstable version with a ~600 commit delta from the release | 00:09:36 |
emily | which scares me | 00:09:42 |
whispers [& it/fae] | just yoinking the three patches from debian seems very low-risk and sane. diffs are small | 00:11:10 |
hexa | yeah, could mean nothing is ready for the (breaking?) changes in there | 00:11:18 |
hexa | I'm not super sure about the full scope; do the three patches cover everything relevant? | 00:11:49 |
hexa | Redacted or Malformed Event | 00:11:58 |
whispers [& it/fae] | they cover the three CVEs I'm aware of and that the rust folks patched. i haven't tracked closely enough to know if there are others, though. | 00:13:25 |
whispers [& it/fae] | * | 00:14:09 |
whispers [& it/fae] | same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/1010 | 00:14:52 |
hexa | can you quickly check the pr? | 00:17:41 |
hexa | ^ | 00:17:48 |
hexa | Redacted or Malformed Event | 00:17:54 |
emily | https://github.com/rust-lang/cargo/pull/17140 has the rust backports | 00:18:50 |
emily | for comparison | 00:19:04 |
emily | 2026-55200 looks correct | 00:19:40 |
emily | as does 2026-55199 | 00:19:53 |
emily | 2025-15661 makes my eyes glaze over so I'll let someone else assess that one | 00:20:02 |
whispers [& it/fae] | this pr fails to build as-is, patches for 55200 don't apply | 00:33:31 |
hexa | does debian apply them to a different version? | 00:34:01 |
emily | we could perhaps just pick the ones from Rust | 00:36:58 |