| 1 Dec 2025 |
 K900 | I think 25.05 might be too old, someone needs to backport the patch | 12:13:32 |
 niklaskorz | Or mark as vulnerable and hint that 25.11 has the fix until someone as time to backport the patch | 12:17:01 |
| niklaskorz | * Or mark as vulnerable and hint that 25.11 has the fix until someone has time to backport the patch | 12:17:11 |
| niklaskorz | Actually never mind that, the fix has been merged into 25.05 too by @K900 hree days ago, just hasnt reached nixos-25.05 yet | 13:01:07 |
| K900 | OK I'm thinking of something else then | 13:01:25 |
| K900 | (narrator voice: he was not, in fact, thinking) | 13:01:37 |
| niklaskorz | * Actually never mind that, the fix has been merged into 25.05 too by @K900 three days ago, just hasnt reached nixos-25.05 yet | 13:01:52 |
|  Brisingr changed their display name from Brisingr05 to Brisingr. | 18:39:58 |
| 2 Dec 2025 |
|  phelix | 3383 changed their display name from phelix to phelix | 3383. | 19:07:24 |
 mdaniels5757 | It is acceptable to mark packages as vulnerable on release branches, right? It was said to be a prohibited breaking change in https://github.com/NixOS/nixpkgs/pull/466983. I've been creating these backports (and getting them merged) for a bit, but I want some more validation before I reopen that PR :) | 22:35:01 |
 hexa | if we cannot fix them we tend to mark as vulnerable, yes. better kept in #security-discuss:nixos.org | 22:42:28 |
| hexa | https://seclists.org/oss-sec/2025/q4/228 | 22:50:38 |
| hexa | * https://seclists.org/oss-sec/2025/q4/228 vim | 22:50:52 |
| hexa | cc Philip Taron (UTC-8) | 22:51:04 |
| hexa | blargh, windows only | 22:51:21 |
| hexa | 🪟 | 22:51:33 |
| 3 Dec 2025 |
| hexa | https://seclists.org/oss-sec/2025/q4/229 xorg.xkbcomp (1.4.7 -> 1.5.0) | 10:19:30 |
| hexa | https://www.openwall.com/lists/oss-security/2025/12/03/5 libpng 1.6.52 vcunat | 21:13:44 |
 vcunat | Doesn't seem critical and it will be a big rebuild, so I'm in no rush for today. | 23:10:53 |
| hexa | should be in the next staging cycle still | 23:28:39 |
| 4 Dec 2025 |
| vcunat | https://github.com/NixOS/nixpkgs/pull/467753 | 07:19:26 |
| vcunat | https://github.com/NixOS/nixpkgs/pull/467766 | 08:15:50 |
| hexa | https://www.openwall.com/lists/oss-security/2025/12/04/3 webkitgtk 2.50.3 | 15:22:27 |
 leona | https://github.com/NixOS/nixpkgs/pull/467875 apacheHttpd | 16:54:55 |
| 5 Dec 2025 |
| mdaniels5757 | Now realizing I let these pile up: | 03:42:37 |
| mdaniels5757 | Security update approved by maintainer, needs merge: https://github.com/NixOS/nixpkgs/pull/466669 and https://github.com/NixOS/nixpkgs/pull/466702 | 03:43:00 |
| mdaniels5757 | No approvals for these: https://github.com/NixOS/nixpkgs/pull/466677 https://github.com/NixOS/nixpkgs/pull/465816 https://github.com/NixOS/nixpkgs/pull/466341 https://github.com/NixOS/nixpkgs/pull/465846 | 03:46:09 |
| mdaniels5757 | Backports/release branch PRs: https://github.com/NixOS/nixpkgs/pull/466999 https://github.com/NixOS/nixpkgs/pull/466128 https://github.com/NixOS/nixpkgs/pull/466127 https://github.com/NixOS/nixpkgs/pull/465969 https://github.com/NixOS/nixpkgs/pull/467294 | 03:47:08 |
| mdaniels5757 | And finally, unreviewed (and unfortunately harder a bit harder to review, because the version bumps needed included an in-tree formatter bump, sorry): https://github.com/NixOS/nixpkgs/pull/465389 | 03:48:07 |
| mdaniels5757 | Jfc thats a lot | 03:48:15 |
