| 29 Mar 2024 |
 clefru | Redacted or Malformed Event | 08:53:25 |
| clefru | * FYI from what I see, the two 0 days for Google Chrome published on Tuesday are still unpatched in release-23.11. | 08:53:45 |
| clefru | Redacted or Malformed Event | 09:00:49 |
| clefru | Sorry ignore that.. I am tracking nixos-23.11 and not release-23.11 | 09:05:50 |
 hexa | https://www.openwall.com/lists/oss-security/2024/03/29/4 | 16:12:46 |
 syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 b) argv[0] needs to be /usr/sbin/sshd | 16:15:35 |
| syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
| 16:19:17 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1
| 16:20:24 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
| 16:21:00 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
Thank you hexa https://github.com/NixOS/nixpkgs/pull/300028
| 16:22:08 |
 Julien | Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there | 16:38:11 |
 vcunat | Because release tarballs need less dependencies to build. | 16:39:31 |
 raitobezarius | In reply to @julienmalka:matrix.org
Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there #security-discuss:nixos.org | 16:39:38 |
| vcunat | * Because release tarballs need less dependencies to build from. | 16:39:55 |
 tgerbet | And the source code tarball generated by GH automatically are not stable | 16:40:28 |
| vcunat | We have tools for that. | 16:40:55 |
| vcunat | Hashing the unpacked directory tree instead. | 16:41:07 |
| vcunat | Dependency on autoreconfHook can be bothersome, especially for packages involved in stdenv bootstrapping. | 16:41:42 |
|  moody joined the room. | 17:20:21 |
|  pareto-optimal-dev joined the room. | 17:25:15 |
|  mjm joined the room. | 17:26:08 |
| mjm | 17:31:16 |
|  Minijackson joined the room. | 17:33:44 |
|  Christian joined the room. | 17:38:47 |
|  hemant (he/they) joined the room. | 17:48:51 |
|  @bear454:librem.one joined the room. | 18:28:44 |
|  mattleon joined the room. | 18:31:48 |
|  robgssp joined the room. | 18:32:48 |
| @bear454:librem.one left the room. | 18:32:54 |
|  Dustin Plattner joined the room. | 18:45:10 |
