| 20 Jul 2021 |
|  hxliew joined the room. | 02:16:26 |
 das_j | DOS in systemd: https://www.openwall.com/lists/oss-security/2021/07/20/2 | 12:52:25 |
| das_j | Patch: https://github.com/systemd/systemd/pull/20256 | 12:52:37 |
| das_j | Hm the mentioned kernel vuln is not so good either… | 12:58:09 |
 ajs124 | In reply to @janne.hess:helsinki-systems.de
Patch: https://github.com/systemd/systemd/pull/20256 As a quick-fix, this should work:
systemd.package = pkgs.systemd.overrideAttrs (oA: {
patches = (oA.patches or []) ++ [(pkgs.fetchpatch {
url = "https://github.com/systemd/systemd/commit/441e0115646d54f080e5c3bb0ba477c892861ab9.patch";
sha256 = "1g1lk95igaadg67kah9bpi4zsc01rg398sd1247ghjsvl5hxn4v4";
})];
});
| 13:00:34 |
 hexa | are you going to create a pr or are we defering to #systemd:nixos.org? | 13:12:51 |
| das_j | I can do a PR. is this staging material? | 13:24:48 |
| das_j | * I can do a PR. ~~is this staging material?~~ | 13:27:34 |
| das_j | * I can do a PR. is this staging material? | 13:27:37 |
| das_j | * PR: https://github.com/NixOS/nixpkgs/pull/130779 | 13:29:43 |
 Alyssa Ross | https://lwn.net/Articles/863586/ | 16:00:02 |
| Alyssa Ross | local root vuln in Linux | 16:00:08 |
| das_j | Yup, that goes along with the systemd vuln… But I was not sure how to apply the patch to all kernels | 16:00:42 |
| Alyssa Ross | they're in today's stable releases | 16:01:00 |
| das_j | ah great | 16:01:06 |
| Alyssa Ross | so it's just a stable kernel update as usual | 16:01:14 |
| Alyssa Ross | janne.hess: https://github.com/NixOS/nixpkgs/pull/130807 | 16:05:33 |
| hexa | it's usually not worth looking into kernel vulns, because we bump them often enough and they will be released sooner or later | 16:09:43 |
| Alyssa Ross | this seems to be a particularly serious one | 16:10:09 |
| hexa | which is why it was coordinated and promtly released on a schedule | 16:10:27 |
| hexa | * which is why it was coordinated and promptly released on a schedule | 16:10:35 |
| ajs124 | In reply to @hexa:lossy.network
it's usually not worth looking into kernel vulns, because we bump them often enough and they will be released sooner or later also, you need to reboot to apply them. our reboot schedule for a bunch of systems is every half year for the release upgrade. | 16:12:05 |
| hexa | yeah rebooting is messy :D | 16:12:28 |
 philipp | But the absolutely best feeling is to reboot a compelx system and it just coming back up without any issues. | 16:13:18 |
|  sumner left the room. | 21:42:19 |
| 21 Jul 2021 |
|  Arminio Genevino joined the room. | 20:25:46 |
|  Elliot joined the room. | 20:25:46 |
| Arminio Genevino | o/ | 20:25:50 |
| Elliot | Is there a detailed writeup of how NixOS stacks up against other distros wrt to security? | 20:26:10 |
 nixinator | In reply to @noch3:matrix.org
Is there a detailed writeup of how NixOS stacks up against other distros wrt to security? i can't think of one of the top of my braincase, but do you have a specific questions? | 21:20:27 |
