| 1 Oct 2023 |
 vcunat | In reply to @hexa:lossy.network
https://github.com/NixOS/nixpkgs/pull/258295 Wait, yet another libvpx CVE in a few days? | 05:20:49 |
| vcunat | I mean, I'm in particular interested if the PR is urgent or could be staged instead, as doing those rebuilds again (on 2-3 branches) isn't cheap and it will slow down the staging-next* cycles - which also contain (milder) security fixes. | 05:27:13 |
| vcunat | It is a different bug, but when public descriptions say only "crash", I can't tell severity at a glance (and no CVSS yet). | 05:38:49 |
| vcunat | I really hate when importance is not stated and bug report links are private, so what one could do is only analyze the commit. Sure, no need to publish how to exploit it, but if you don't indicate severity... | 05:51:17 |
| vcunat | Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet) | 05:57:31 |
| vcunat | * Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet)
EDIT: now I noticed the topic on #security-discuss:nixos.org but even there these questions aren't answered yet.
| 06:23:22 |
|  @errornointernet:envs.net joined the room. | 08:32:35 |
|  Mikael Fangel joined the room. | 09:31:50 |
| 2 Oct 2023 |
 ajs124 | https://github.com/NixOS/nixpkgs/pull/258581
haven't tested much, but will do so now. if I don't draft it in the next hour or so, this can probably be merged. | 13:25:15 |
