| 15 Oct 2025 |
|  DenKn changed their display name from 𝔇𝔢𝔫𝔎𝔫 to DenKn. | 08:15:57 |
|  Robert Hensing (roberth) joined the room. | 21:07:54 |
| Robert Hensing (roberth) | Just found a public security fix. Probably low impact. https://github.com/NixOS/nixpkgs/pull/452376 | 21:08:29 |
| Robert Hensing (roberth) | * Just found a public security fix for libgit2. Probably low impact. https://github.com/NixOS/nixpkgs/pull/452376 | 21:14:05 |
 hexa | https://seclists.org/oss-sec/2025/q4/46 | 22:06:39 |
| hexa | * https://seclists.org/oss-sec/2025/q4/46 samba | 22:22:04 |
| hexa | https://github.com/NixOS/nixpkgs/pull/452396
https://github.com/NixOS/nixpkgs/pull/452397 | 22:43:19 |
| 16 Oct 2025 |
| hexa | https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh teutat3s | 17:34:28 |
 teutat3s | https://github.com/NixOS/nixpkgs/pull/452425#issuecomment-3412018823 | 17:56:30 |
 j-k | Bump + maintenance, resolves a moderate
https://github.com/NixOS/nixpkgs/pull/452678
https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5 | 18:49:33 |
|  SpiralP left the room. | 18:54:23 |
| SpiralP joined the room. | 18:55:06 |
| 18 Oct 2025 |
|  kevincox left the room. | 10:23:21 |
 Mic92 | https://github.com/NixOS/nixpkgs/pull/452376 libgit | 20:59:30 |
 Grimmauld (any/all) | binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base though.
https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495
cc John Ericson i guess
| 21:08:08 |
| Grimmauld (any/all) | * binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base though.
https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495
cc John Ericson i guess
| 21:08:19 |
| Grimmauld (any/all) | * binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base.
https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495
cc John Ericson i guess
| 21:08:32 |
| 19 Oct 2025 |
 vcunat | No new updates in the branch, so far:
https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch | 07:00:55 |
| vcunat | * binutils: no new updates in the branch, so far:
https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch | 07:01:15 |
 K900 | We merged some backports for this | 10:31:21 |
| K900 | Not sure if all | 10:31:23 |
|  azahi left the room. | 15:46:56 |
| azahi joined the room. | 19:54:25 |
| 20 Oct 2025 |
|  Felix Schröter changed their display name from Felix Schröter to Felix Schröter (🌄 27.10. – 09.11.). | 08:34:02 |
| 21 Oct 2025 |
 dotlambda | https://github.com/NixOS/nixpkgs/pull/454346 | 21:00:18 |
| dotlambda |
I don't want people to use this library in production environments...
It's a teaching tool, it's a testing tool, it's absolutely not an production grade implementation.
I maintain it to have support for ECDH and ECDSA in tlsfuzzer, which I need to be first and foremost portable. Security does not even enter a picture for that tool.
If you need enterprise grade implementation you should use pyca/cryptography.
https://github.com/tlsfuzzer/python-ecdsa/issues/330 | 21:10:27 |
 emily | are the users actually using it in security-sensitive contexts or is it just test/fuzzer stuff? | 21:21:55 |
| dotlambda | Lots of crypto coin-related packages seem to use it, I assume that's security-sensitive. Also duplicity, a backup tool. I'm currently looking at how home-assistant is using it | 21:25:51 |
 niklaskorz | home-assistant project chip only seems to use it for testing indeed | 21:28:47 |
| dotlambda | In reply to @niklaskorz:matrix.org
home-assistant project chip only seems to use it for testing indeed You're sure about that?
https://matrix.to/#/!TMHsziEPKwNiZHIoRO:lossy.network/$e12yLxQo1zTojp77HVo2qnv_CpXQaP-PRSndOSHpo3Q?via=nixos.dev | 21:34:10 |
