| 30 Sep 2023 |
 hexa | haha, please no more audio/vidoe/image format vulnerabilities this year 😄 | 21:55:46 |
| *  raitobezarius gets the libFuzzer out of the pocket and runs it on libcaca | 21:56:06 |
| hexa | In reply to @hexa:lossy.network
haha, please no more audio/vidoe/image format vulnerabilities this year 😄 https://github.com/NixOS/nixpkgs/pull/258295 | 23:16:55 |
| 1 Oct 2023 |
 vcunat | In reply to @hexa:lossy.network
https://github.com/NixOS/nixpkgs/pull/258295 Wait, yet another libvpx CVE in a few days? | 05:20:49 |
| vcunat | I mean, I'm in particular interested if the PR is urgent or could be staged instead, as doing those rebuilds again (on 2-3 branches) isn't cheap and it will slow down the staging-next* cycles - which also contain (milder) security fixes. | 05:27:13 |
| vcunat | It is a different bug, but when public descriptions say only "crash", I can't tell severity at a glance (and no CVSS yet). | 05:38:49 |
| vcunat | I really hate when importance is not stated and bug report links are private, so what one could do is only analyze the commit. Sure, no need to publish how to exploit it, but if you don't indicate severity... | 05:51:17 |
| vcunat | Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet) | 05:57:31 |
| vcunat | * Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet)
EDIT: now I noticed the topic on #security-discuss:nixos.org but even there these questions aren't answered yet.
| 06:23:22 |
|  @errornointernet:envs.net joined the room. | 08:32:35 |
|  Mikael Fangel joined the room. | 09:31:50 |
| 2 Oct 2023 |
 ajs124 | https://github.com/NixOS/nixpkgs/pull/258581
haven't tested much, but will do so now. if I don't draft it in the next hour or so, this can probably be merged. | 13:25:15 |
|  ·☽•Nameless☆•777 · ± changed their profile picture. | 15:49:55 |
| ·☽•Nameless☆•777 · ± changed their profile picture. | 15:56:16 |
| 3 Oct 2023 |
 Domen Kožar | https://twitter.com/bagder/status/1709103920914526525 | 14:14:43 |
| raitobezarius |
pretty much, yes. But this time actually the worst security problem found in curl in a long time.
| 14:15:06 |
| raitobezarius | (hope it's not my code) | 14:15:14 |
 delroth | cc vcunat - we should figure out a staging-next timeline that works well with this (libcurl patch dropping on Oct 11) | 14:59:17 |
| delroth | dunno if we should extend the current staging-next cycle or make a short next cycle | 14:59:42 |
| vcunat | curl is mainly a problem because of rebuilding darwin stdenvs. Not that much otherwise IIRC. | 15:00:09 |
| vcunat | Our farm has constant amount of darwin. (almost all aarch64+rosetta) | 15:01:20 |
| delroth | https://github.com/NixOS/nixpkgs/pull/244468 5001+ Linux too apparently (let's maybe switch this discussion to the other channel) | 15:01:58 |
| vcunat | * curl is mainly a problem because of rebuilding darwin stdenvs. Not that much otherwise IIRC. EDIT: I was wrong, probably, looks big on linux, too. | 15:15:40 |
|  tlaurion aka Insurgo [ Timezone: ET ] changed their display name from Insurgo aka tlaurion (AFK) to Insurgo aka tlaurion (TZ: UTC-4). | 23:41:16 |
| 4 Oct 2023 |
| hexa | https://lists.x.org/archives/xorg/2023-October/061506.html | 01:24:04 |
| hexa | no idea who to tag tbh | 01:24:43 |
| raitobezarius | cc K900 ⚡️ Jan Tojnar and NickCao who touched this stuff last time AFAIK | 01:26:23 |
 Artturin | In reply to @hexa:lossy.network
https://lists.x.org/archives/xorg/2023-October/061506.html https://github.com/NixOS/nixpkgs/pull/258841 | 02:18:35 |
 K900 | Wait me | 05:56:46 |
| K900 | When did I touch Xorg stuff | 05:56:56 |
