| 9 Oct 2023 |
 Lun | Arch is using that patch https://gitlab.archlinux.org/archlinux/packaging/packages/libcue/-/commit/035bddf10ab0936e41daf829dac0ef3bd56bd2ce | 21:08:23 |
| Lun | https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e | 21:34:07 |
 K900 | Yay | 21:34:32 |
| 10 Oct 2023 |
|  cafkafk changed their display name from Christina Sørensen to cafkafk. | 03:39:01 |
| cafkafk changed their profile picture. | 03:39:25 |
| K900 | New kernel updates with Xen DoS fix: https://github.com/NixOS/nixpkgs/pull/260296 | 21:59:06 |
 Sandro | CVE-2023-44487 7.5 score, 0-day, exploited in the wild
The fix (https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832) is probably not that easy to backport.
| 22:57:20 |
| Sandro | and we are quite a bit behind, there are changes that need attention and changing the package is a mass rebuild
https://github.com/NixOS/nixpkgs/pull/219712 | 22:57:58 |
| Sandro | https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ | 22:58:45 |
| 11 Oct 2023 |
 vcunat | Rebuild wouldn't be a problem now, as high-priority curl fix arrives today. | 05:59:05 |
 raitobezarius | It's already out, see discussion channel | 05:59:19 |
| raitobezarius | Release is not out yet | 05:59:23 |
| vcunat | Either way, 23.05 goes to rebuild first, and upgrading nghttp2 in there might not be great, so it would be nice if backport of this patch was easy. | 06:05:37 |
 leona | https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/ | 06:08:35 |
 ⛧-440729 [sophie raven] (it/its) | https://github.com/curl/curl/releases/tag/curl-8_4_0 I'm on it | 06:14:49 |
| ⛧-440729 [sophie raven] (it/its) | Releases apparently aren't online yet. The links on https://curl.se/download.html return a 404. | 06:19:08 |
| raitobezarius | yep I advise to wait until they are out | 06:19:27 |
| raitobezarius | we can theoretically apply the patch for 23.05 though | 06:19:55 |
| raitobezarius | i don't think we need to wait 8.4.0 for that | 06:20:00 |
| raitobezarius | or maybe we should bump 23.05 to 8.4.0 | 06:20:25 |
| raitobezarius | I don't know the policy here | 06:20:28 |
| ⛧-440729 [sophie raven] (it/its) | 8.4.0 should be released soon™, I'd wait for the new release. 23.05 probably should get the backport as well due to this being a security issue | 06:22:17 |
| vcunat | We're on 8.1.1 in 23.05. | 06:22:34 |
| vcunat | So probably pick just the patches. | 06:22:45 |
| vcunat | * So probably pick just the patches in there. | 06:23:07 |
| ⛧-440729 [sophie raven] (it/its) | Release is online, the darwin patch doesn't cleanly apply anymore. Someone with a darwin system needs to test whether my changes to the patch are good. | 06:33:23 |
| vcunat | I can build on a slow x86_64-darwin. | 06:40:47 |
| vcunat | No nixpkgs PR yet? (for staging-next-23.05) | 06:41:04 |
| vcunat | Patching is a pain here. Normally it would need addition of autoreconfHook, but that would cause nontrivial infinite recursion. | 06:42:31 |
| vcunat | As for backporting itself, the conflicts didn't look bad at a glance. | 06:43:12 |
