| 30 Jun 2026 |
Sergei Zimmerman (xokdvium) | Right yeah, I suppose so. Though the breakage seems rather scoped (i.e. 10s wait under yet undeterminted conditions) | 23:57:46 |
hexa | then I gues via staging-next or staging-nixos, whichever comes first | 23:58:14 |
emily | hexa: any thoughts on ^? | 23:59:59 |
| 1 Jul 2026 |
hexa | pretty sure lesuisse already responded on the closed pr | 00:00:15 |
hexa | https://github.com/NixOS/nixpkgs/pull/533237#issuecomment-4844060191 | 00:00:30 |
emily | agreed on picking vs. bumping | 00:00:50 |
emily | I'm more concerned about whether we put it in staging-next, given the severity | 00:00:59 |
emily | it's ~50k rebuilds per platform but the latest CVE seems pretty awful | 00:01:21 |
emily | and iirc wasn't out at the time of that PR? | 00:01:28 |
hexa | annoying | 00:02:23 |
emily | it does give us the chance to pick up Rust 1.96.1 if we do it, since that was rushed out to ship both the libssh2 fixes and fix a miscompilation bug, though AFAICT the miscompilation bug isn't bad enough to be worth the rebuilds unless we're eating them anyway because of libssh2 | 00:03:35 |
emily | we are sufficiently ahead of schedule that it feels like it might be worth eating the rebuilds rather than shipping an RCE for weeks on unstable, but don't feel confident enough to make the call myself. worried about a call not happening until it's throwing away even more builds / delaying things longer though | 00:05:02 |
hexa | let's just do it | 00:07:31 |
hexa | it's not the stdenv | 00:07:37 |
hexa | it will be highly parallel | 00:07:44 |
hexa | darwin looks idle right now | 00:07:49 |
hexa | linux does 35k/25k steps per day | 00:08:06 |
hexa | so probably a two day delay | 00:08:25 |
hexa | the earlier the changes can be landed the better | 00:08:40 |
emily | not sure if I will have the time tonight to prepare a PR that picks the patches, the current one bumps to an unstable version with a ~600 commit delta from the release | 00:09:36 |
emily | which scares me | 00:09:42 |
whispers [& it/fae] | just yoinking the three patches from debian seems very low-risk and sane. diffs are small | 00:11:10 |
hexa | yeah, could mean nothing is ready for the (breaking?) changes in there | 00:11:18 |
hexa | I'm not super sure about the full scope; do the three patches cover everything relevant? | 00:11:49 |
hexa | Redacted or Malformed Event | 00:11:58 |
whispers [& it/fae] | they cover the three CVEs I'm aware of and that the rust folks patched. i haven't tracked closely enough to know if there are others, though. | 00:13:25 |
whispers [& it/fae] | * | 00:14:09 |
whispers [& it/fae] | same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/1010 | 00:14:52 |
hexa | can you quickly check the pr? | 00:17:41 |
hexa | ^ | 00:17:48 |