| 13 Apr 2026 |
|  Alesya changed their display name from Alesya Huzik to Alesya. | 01:46:22 |
|  Aliaksandr joined the room. | 02:28:46 |
 teutat3s | https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/6VW6OGVSC7LO3QUMBEZOPQFYYOFDJ452/ | 12:18:31 |
| teutat3s | https://github.com/NixOS/nixpkgs/pull/509590 | 14:52:33 |
| teutat3s | https://github.com/NixOS/nixpkgs/pull/509591 | 14:52:40 |
|  Jenny joined the room. | 19:43:21 |
| 14 Apr 2026 |
|  Lukas joined the room. | 01:53:47 |
 Sandro | Two critical authentication bypasses
https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2 | 11:49:55 |
| Sandro | https://github.com/NixOS/nixpkgs/pull/509941 | 12:02:50 |
 vcunat | X.Org Security Advisory: multiple security issues X.Org X server and Xwayland
https://lists.x.org/archives/xorg-announce/2026-April/003677.html | 16:22:07 |
|  klea (she/her) joined the room. | 16:23:16 |
| klea (she/her) changed their display name from klea to klea (she/her). | 16:27:22 |
 K900 | https://www.gamingonlinux.com/2026/04/x-org-x-server-and-xwayland-security-advisory-released-for-multiple-issues/ | 17:41:07 |
| K900 | Oops | 17:41:09 |
| 15 Apr 2026 |
| vcunat | At a glance it's difficult for me to estimate how serious these are. (and thus if staging-next is worth the rebuild with the PR) | 05:49:05 |
 kuflierl | In reply to @vcunat:matrix.org
At a glance it's difficult for me to estimate how serious these are. (and thus if staging-next is worth the rebuild with the PR) From the descriptions alone I would say "CVE-2026-34001: XSYNC Use-after-free" is probably the most dangerous one since it could theoretically allow for local priv esc but that would need more work | 08:08:15 |
| kuflierl | Redacted or Malformed Event | 08:09:26 |
| kuflierl | * i have not read the structs being freed, this is just me assuming there is a pointer somewhere in that strict | 08:09:35 |
| kuflierl | * i have not read the structs being freed, this is just me assuming there is a pointer somewhere in that strict | 08:09:45 |
| 16 Apr 2026 |
 fgaz | Critical sandbox escape in luanti https://github.com/NixOS/nixpkgs/pull/510535 | 09:09:15 |
| K900 | Maybe just backport the fixed version? It's a videogame, do we really need to worry about breakage here | 09:10:55 |
| fgaz | I don't know, I don't have time to review the breaking changes right now | 09:12:06 |
| fgaz | keep in mind it includes a game server as well. breaking changes might affect server operators | 09:12:44 |
| K900 | OK, going to merge for now | 09:12:44 |
| vcunat | Here's another case of dilemma between pulling breaking changes vs. marking as insecure:
https://github.com/NixOS/nixpkgs/pull/500876 | 11:50:14 |
| Sandro | Just build the package on hydra and then people can consume it without pain when allowing it. | 13:35:09 |
 hexa | how about porting the patches? | 13:36:05 |
| vcunat | Another complication is that packages marked as insecure won't be built by Hydra, yes. | 13:47:23 |
| vcunat | * Another complication is (generally) that packages marked as insecure won't be built by Hydra, yes. | 13:48:10 |
| Sandro | We are running in absolute circles here, it would make so many things so much easier and things could be marked as vulnerable without having to worry about criplying peoples experience when they do not have a heavy server to compile stuff | 16:29:28 |
