!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

660 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22205 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
12 Sep 2025
@jordanjoel1:matrix.org@jordanjoel1:matrix.org left the room.03:34:39
@aidalgol:tchncs.de@aidalgol:tchncs.de set a profile picture.09:21:38
@teutat3s:pub.solarteutat3shttps://github.com/NixOS/nixpkgs/pull/44207611:26:51
@sandro:supersandro.deSandro 🐧I would like to bring this package to the attention of the security minded people https://github.com/NixOS/nixpkgs/pull/433307 It is using very old vendored versions of fontforge and poppler, both over 5 years old, and at least poppler contains 10+ CVEs.11:35:13
@teutat3s:pub.solarteutat3shttps://github.com/NixOS/nixpkgs/pull/43999611:44:42
@emilazy:matrix.orgemilyonly been in the tree for 8 hours, let's revert11:45:13
@emilazy:matrix.orgemilyif there's going to be a new release without vulns it can wait for that11:45:26
@sandro:supersandro.deSandro 🐧I was thinking the same11:45:43
@emilazy:matrix.orgemilypackage guidelines are pretty clear that we need a good reason to add a new package that has significant vulnerabilities from the start11:46:11
@emilazy:matrix.orgemilyI'd do it but not at a computer rn11:46:17
@leona:leona.isleonai created a revert PR https://github.com/NixOS/nixpkgs/pull/442351. I won't merge that myself, happy for reviews.11:52:43
@sandro:supersandro.deSandro 🐧I already saw that when clicking revert that the commit was already created. Approved, too.11:54:56
@emilazy:matrix.orgemily(personally I don't think we need tons of ceremony for reverting for things that would have been a blocking review if caught hours before merge rather than after. part of the Hintjens optimistic merging doc people like is unilateral reverts if a change is problematic. so I'll hit the merge button)11:56:38
13 Sep 2025
@oak:universumi.fioak 🏳️‍🌈♥️ changed their profile picture.09:46:05
14 Sep 2025
@emma:rory.gayEmma [it/its] joined the room.08:39:56
15 Sep 2025
@kevincox:matrix.org@kevincox:matrix.org changed their display name from kevincox to kevincox (moved to @kevincox:kevincox.ca).19:40:13
16 Sep 2025
@teutat3s:pub.solarteutat3s https://github.com/NixOS/nixpkgs/pull/443455 | Fix CVE-2025-59161 / GHSA-m6c8-98f4-75rr "A malicious room can hide an unrelated room and cause it to be left when the malicious room is left " 14:41:53

Show newer messages

Back to Room ListRoom Version: 6