| 13 Apr 2026 |
 teutat3s | https://github.com/NixOS/nixpkgs/pull/509590 | 14:52:33 |
| teutat3s | https://github.com/NixOS/nixpkgs/pull/509591 | 14:52:40 |
|  Jenny joined the room. | 19:43:21 |
| 14 Apr 2026 |
|  Lukas joined the room. | 01:53:47 |
 Sandro | Two critical authentication bypasses
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 | 11:49:55 |
| Sandro | https://github.com/NixOS/nixpkgs/pull/509941 | 12:02:50 |
 vcunat | X.Org Security Advisory: multiple security issues X.Org X server and Xwayland
https://lists.x.org/archives/xorg-announce/2026-April/003677.html | 16:22:07 |
|  klea (she/her) joined the room. | 16:23:16 |
| klea (she/her) changed their display name from klea to klea (she/her). | 16:27:22 |
 K900 | https://www.gamingonlinux.com/2026/04/x-org-x-server-and-xwayland-security-advisory-released-for-multiple-issues/ | 17:41:07 |
| K900 | Oops | 17:41:09 |
| 15 Apr 2026 |
| vcunat | At a glance it's difficult for me to estimate how serious these are. (and thus if staging-next is worth the rebuild with the PR) | 05:49:05 |
 kuflierl | In reply to @vcunat:matrix.org
At a glance it's difficult for me to estimate how serious these are. (and thus if staging-next is worth the rebuild with the PR) From the descriptions alone I would say "CVE-2026-34001: XSYNC Use-after-free" is probably the most dangerous one since it could theoretically allow for local priv esc but that would need more work | 08:08:15 |
| kuflierl | Redacted or Malformed Event | 08:09:26 |
| kuflierl | * i have not read the structs being freed, this is just me assuming there is a pointer somewhere in that strict | 08:09:35 |
| kuflierl | * i have not read the structs being freed, this is just me assuming there is a pointer somewhere in that strict | 08:09:45 |
| 16 Apr 2026 |
 fgaz | Critical sandbox escape in luanti https://github.com/NixOS/nixpkgs/pull/510535 | 09:09:15 |
| K900 | Maybe just backport the fixed version? It's a videogame, do we really need to worry about breakage here | 09:10:55 |
| fgaz | I don't know, I don't have time to review the breaking changes right now | 09:12:06 |
| fgaz | keep in mind it includes a game server as well. breaking changes might affect server operators | 09:12:44 |
| K900 | OK, going to merge for now | 09:12:44 |
| vcunat | Here's another case of dilemma between pulling breaking changes vs. marking as insecure:
https://github.com/NixOS/nixpkgs/pull/500876 | 11:50:14 |
| Sandro | Just build the package on hydra and then people can consume it without pain when allowing it. | 13:35:09 |
 hexa | how about porting the patches? | 13:36:05 |
| vcunat | Another complication is that packages marked as insecure won't be built by Hydra, yes. | 13:47:23 |
| vcunat | * Another complication is (generally) that packages marked as insecure won't be built by Hydra, yes. | 13:48:10 |
| Sandro | We are running in absolute circles here, it would make so many things so much easier and things could be marked as vulnerable without having to worry about criplying peoples experience when they do not have a heavy server to compile stuff | 16:29:28 |
| Sandro | I try to avoid that as much as possible. If there are not many changes in between that can be easily done but than you can also just update the package.
If there are many changes, I am just going to throw the update on people regardless if there are breaking changes. It just takes to much of my time to properly test those patches on old things I am nowhere using. | 16:31:11 |
| Sandro | * I try to avoid that as much as possible. If there are not many changes in between that can be easily done but than you can also just update the package.
If there are many changes, I am just wanting to throw the update on people regardless if there are breaking changes. It just takes to much of my time to properly test those patches on old things I am nowhere using. | 16:36:34 |
 emily | what's going in circles is you restarting this argument unprompted every single time... | 16:37:39 |
