| 20 Mar 2026 |
 raitobezarius | (also discussions not here) | 17:43:10 |
 曜日 | My apologies for the confusion. I had only meant to share the project here — though I came across a wishlist that seemed to align rather closely with what it does, and one thing led to another. | 17:54:20 |
| 曜日 | Apologies — should I take this to #security:nixos.org instead? | 17:55:05 |
| 曜日 | * Apologies — should I take this to #security-discuss:nixos.org instead? | 17:55:17 |
 ElvishJerricco | https://github.com/NixOS/nixpkgs/pull/501701 fixing a vuln in https://github.com/NixOS/nixpkgs/pull/493445 that is presently on master | 18:38:59 |
| ElvishJerricco | need to make sure it doesn't hit unstable. It's already on unstable-small | 18:40:19 |
 dotlambda | not sure what to do about https://github.com/NixOS/nixpkgs/issues/500142 on 25.11 | 18:43:45 |
| dotlambda | https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 doesn't apply cleanly | 18:44:18 |
| ElvishJerricco | K900, vcunat: do we need to cancel an unstable eval or anything like that to keep this from hitting unstable? I suspect it impacts a significant portion of boot.initrd.secrets users. | 19:10:05 |
 vcunat | Since the tested job passed, cancelling the rest would make it advance immediately. | 19:11:42 |
| vcunat | And it's in unstable-small channel, too. | 19:12:14 |
| ElvishJerricco | So we'll have to just merge and wait for it to reach unstable in a few days? Do we need to issue an advisory then? | 19:14:01 |
| vcunat | unstable-small can get it within a couple hours. | 19:14:54 |
 lennart | not meaning to be rude, but I have highlight on for every message in this channel. I guess lots of others of us 670+ people do so aswell, can you switch over to #security-discuss:nixos.org? | 19:15:33 |
 emily | (I don't think a highlight on every message in here is a good idea, it's not an advisory notification channel, triage has to happen in the triage room even if not extended discussions…) | 19:16:56 |
| emily | (& many many vulnerabilities never come up in here at all 😅) | 19:17:31 |
| lennart | ah sorry, that wasn't clear to me. | 19:17:36 |
| lennart | I vaguely remember that I had this before, sorry, gonna turn of the notifications :D | 19:48:31 |
| 21 Mar 2026 |
| vcunat | Noone has reacted the initrd secrets problem apparently? I think it wouldn't be too hard to prevent nixos-unstable from updating, but should we? Also if it's bad, we need to merge quickly to fix nixos-unstable-small. | 06:16:30 |
 K900 | We should | 06:16:46 |
| K900 | It's stupid | 06:16:51 |
| vcunat | Done, I think.
Loaded: masked (Reason: Unit update-nixos-unstable.service is masked.)
| 06:21:35 |
| emily | perhaps revert for now? | 14:12:53 |
| K900 | @ElvishJerricco has a fix | 14:20:44 |
| ElvishJerricco | If no one's going to review it then I guess we just revert though | 14:21:15 |
| ElvishJerricco | I'd merge because I'm reasonably sure of the fix. But plausibly the original PR did it that way for some reason and the author / reviewers of it should chime in. I mean I think that's unlikely but that's one reason I haven't just self-merged it | 14:22:52 |
| emily | we had a fix 20 hours ago, we could have merged a revert like 24 hours ago | 14:31:17 |
| vcunat | Rebuilding all tests takes a while, but yes. | 14:39:49 |
| vcunat | * Rebuilding all tests takes a while, but yes.
(at least I assume that the fix wouldn't rebuild most tests) | 14:55:56 |
| vcunat | I guess we revert for now:
https://github.com/NixOS/nixpkgs/pull/501963 | 15:01:56 |
