| 29 Jun 2026 |
 K900 | The Python ecosystem problem is not lockfiles | 17:06:18 |
 Lach | They are impossible to use in upstream most of the time either D: | 17:06:38 |
 dotlambda | And they invite you to never update. Take a guess how many CVEs we didn't fix because we use Rust and Node.js lockfiles | 17:07:08 |
| Lach | I don't think this is a nixpkgs problem if upstream is not updating their dependencies? | 17:07:46 |
 Alyssa Ross | When a C library has a vulnerability, we update it, and every dependent uses the fixed version | 17:08:11 |
| Alyssa Ross | This is good | 17:08:15 |
| Alyssa Ross | Cargo and whatever make that more difficult | 17:08:27 |
 whispers [& it/fae] | it's a problem for the people who use it (us) so it's a problem for the distributors (also us) | 17:08:32 |
| dotlambda | And we have open issues discussing solutions but none have been implemented | 17:08:52 |
| Alyssa Ross | We could, as a distribution, update a vulnerable library once, for all packages in Nixpkgs, regardless of maintenance | 17:08:55 |
| Alyssa Ross | * | 17:09:01 |
| Alyssa Ross | Instead, every hobby single person upstream project has to react to security patch releases in all of their recursive dependencies. This sucks. | 17:09:23 |
| Alyssa Ross | It's not impossible to solve this problem with lockfiles, but they do discourage it | 17:15:06 |
| Lach | Its just that I have many things that I wish to upstream to nixpkgs, but the situation is awful with python, its either using old libraries, or applying tons of patches on top of them
Making this a package maintainer problem doesn't seem to be a better solution | 17:15:18 |
| Lach | As for lockfiles, CVE fixes are usually patch releases, I actually have a solution for that which involves patching lockfiles for patch package versions... I wonder if it can be applied to nixpkgs | 17:16:45 |
| Alyssa Ross | that is a possible solution | 17:17:15 |
| K900 | hexa we have to eat a python-redis rebuild | 17:36:28 |
| K900 | 8.0.0 literally can't connect to a Unix socket | 17:36:28 |
 hexa | 🤷 | 17:37:02 |
| hexa | how large can the rebuild be | 17:37:19 |
| hexa | the buck needs to stop somewhere | 17:38:35 |
| hexa | CVE fixes are "usually patch releases" when people are experienced with proper release management | 17:39:05 |
| K900 | In reply to @hexa:lossy.network
how large can the rebuild be idk | 17:40:20 |
| K900 | But it fucked my French zoom | 17:40:26 |
| Lach | Numpy 2.5 breaks astropy, astropy breaks imageio, imageio breaks half of the scientific python libraries...
And this is not just the tests, many breakages are in astropy internals...
And the only possible solution I see is to update astropy 7.2.0 => 8.0.0, which also has breakages
Is this ok for staging-next, or?.. | 17:40:53 |
| hexa | yes, most of the time it is okay | 17:42:15 |
| hexa | we are working ourselves to fix the leaves | 17:42:20 |
| hexa | that's how it is | 17:42:22 |
| hexa | what arrives on master is reasonably fine | 17:42:27 |
| K900 | OK, downgrading filelock to the middle version did not help | 18:37:03 |
