!UNVBThoJtlIiVwiDjU:nixos.org

Staging

400 Members
Staging merges | Running staging cycles: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+head%3Astaging-next+head%3Astaging-next-25.11 | Review Reports: https://malob.github.io/nix-review-tools-reports/128 Servers

Load older messages


SenderMessageTime
30 Jun 2026
@lach:delta.rocksLachRustc 1.96.1 doesn't fix the avx512 problem17:48:54
@whispers:catgirl.cloudwhispers [& it/fae] * 17:49:17
@emilazy:matrix.orgemilyI see17:49:30
@emilazy:matrix.orgemilyI'm a bit confused though17:49:39
@emilazy:matrix.orgemily if everything using zlib-rs should fail at build time, then we should be seeing a lot more fallout? 17:49:50
@emilazy:matrix.orgemily for instance, jujutsu builds 17:50:19
@emilazy:matrix.orgemily and that uses zlib-rs via gix 17:50:25
@lach:delta.rocksLachHmm, let me check if it isn't gated under #[cfg(feature...)]...17:50:28
@lach:delta.rocksLachAh17:50:52
@lach:delta.rocksLach#[cfg(feature = "avx512")]17:50:54
@lach:delta.rocksLachhttps://github.com/trifectatechfoundation/zlib-rs/blob/5a96dcf8f36644074ca604dadae36591de5551a5/zlib-rs/src/adler32.rs#L5-L1017:51:12
@lach:delta.rocksLachLet me check ndarray then17:51:18
@emilazy:matrix.orgemily"Will the point release be on the latest stable version or will it target every impacted stable version (1.94-96)? Since without the fix 1.94- is dangerously unusable for anything doing branchless programming patterns, which could manifest as CVEs. I basically found the issue doing an innocent refactor in my project..." https://rust-lang.zulipchat.com/#narrow/stream/474880-xxx/topic/.23158214.3A.20stable-nominated17:51:56
@emilazy:matrix.orgemilyit sounds like the 1.96.1 miscompilation fix is for a bug that was introduced in 1.9417:52:03
@emilazy:matrix.orgemilywhich implies to me: not worth scrapping the cycle over17:52:13
@lach:delta.rocksLachimage.png
Download image.png
17:53:44
@lach:delta.rocksLachIt seems like upstream ndarray doesn't use avx512, ndarray that comes up in github search is this17:53:44
@emilazy:matrix.orgemily I think the remaining question is, is the libssh2 vuln bad enough 17:53:45
@lach:delta.rocksLachI think it is remote code execution, where malicious remote server can overflow local buffer? So if some crate has git dependency with malicious server it is bad17:55:17
@lach:delta.rocksLachAs for avx512... The only crates that I see affected at this moment are pgvecto-rs (deprecated) and vectorchord then... zlib-rs users are only affected if avx512 feature is enabled, and as far as I can see it is enabled by firefox and no well-known crates https://github.com/mozilla-firefox/firefox/blob/c681e91369f59d0efae43bdc465872b855e8b269/netwerk/socket/neqo_glue/Cargo.toml#L2917:59:21
@whispers:catgirl.cloudwhispers [& it/fae]oh nevermind, CVE-2026-7598 was last cycle and is on master. CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200 (at least) are all unpatched for libssh2 afaik18:00:05
@debtquity:matrix.orgdebtquity *

```
rocksdb> cmake flags: -GNinja -DCMAKE_FIND_USE_SYSTEM_PACKAGE_REGISTRY=OFF -DCMAKE_FIND_USE_PACKAGE_REGISTRY=OFF -DCMAKE_EXPORT_NO_PACKAGE_REGISTRY=ON -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DCMAKE_INSTALL_LOCALEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/locale -DCMAKE_INSTALL_LIBEXECDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/libexec -DCMAKE_INSTALL_LIBDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/lib -DCMAKE_INSTALL_DOCDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/doc/rocksdb -DCMAKE_INSTALL_INFODIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/info -DCMAKE_INSTALL_MANDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/share/man -DCMAKE_INSTALL_INCLUDEDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/include -DCMAKE_INSTALL_SBINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocksdb-10.10.1/sbin -DCMAKE_INSTALL_BINDIR=/nix/store/sl8939n8g5b2wdm508a7zzlmg4jawrj5-rocks
```

https://github.com/debtquity/nixpkgs-review-gha/actions/runs/28461253865/job/84349445690#step:6:5588

but this is missing all of the flags defined in `cmakeFlags`:

https://github.com/NixOS/nixpkgs/pull/537105/changes#diff-f169fc685573d8eaee885af02b69ba1a718da48f3a9ae1ee4bb64ca67cadef28R62-R82

I looked back at a hydra build for same package, but those flags are there: https://hydra.nixos.org/build/328605767/nixlog/1

only diff i can see is:

> -- The CXX compiler identification is Clang 21.1.8
> -- The C compiler identification is Clang 21.1.8

vs

> -- The CXX compiler identification is GNU 15.2.0
> -- The C compiler identification is GNU 15.2.0

(__structuredAttrs issue)

18:00:06
@lach:delta.rocksLachThe only problem is that the bug was quite annoying to find and recognize that it is caused by nixpkgs rustc, and if someone will encounter that in their development environment...18:01:35
@emilazy:matrix.orgemilyI guess we didn't try to build Firefox yet: https://hydra.nixos.org/build/33351437718:01:48
@emilazy:matrix.orgemilyso we might have to put a bodge in there for one cycle depending18:01:58
@whispers:catgirl.cloudwhispers [& it/fae]i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing18:02:26
@emilazy:matrix.orgemilyit's unfortunate, but it's a lot better than e.g. getting owned because security updates got delayed 5 days to fix it18:02:32
@whispers:catgirl.cloudwhispers [& it/fae]* fwiw i've built firefox on staging-next just fine for x86_64-linux, if it's just a build time thing18:02:48
@lach:delta.rocksLachimage.png
Download image.png
18:03:47
@lach:delta.rocksLachOk, it was added in firefox 15018:03:54

Show newer messages


Back to Room ListRoom Version: 6