| 24 Jan 2025 |
 Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | * This has the sideeffect of breaking all appimage-based packages. Now i do hate appimage, but we shouldn't break them. https://github.com/NixOS/nixpkgs/blame/defe5870670e9fe4d0a8a04e0e58ec60c7745bb1/pkgs/build-support/appimage/default.nix#L183C7-L183C14 lists it as included in the appimage environment, but that is 6 years old and the linked exclude list does not list anything related to sdl anymore. Do i just drop SDL1 things from appimage FHS? | 11:55:56 |
 emily | IMO just drop SDL1 from there in general, highly doubt anything we package as an appimage needs it. (continue in the security discussions room?) | 11:56:42 |
 tgerbet | Debian tracker lists the commit introducing the issue https://security-tracker.debian.org/tracker/CVE-2022-27470
Might want to check if it really impacts SDL1, I'm on mobile it is annoying to do
(But yeah dropping old stuff like that is needed) | 12:04:33 |
| emily | I think the answer to "is a 90s-vintage TTF-handling library from a previous deprecated major version vulnerable to malicious TTF files" is "yes", no code diving required | 12:06:08 |
| emily | thankfully in most usecases that's going to be a wrong-side-of-the-airtight-hatchway thing; games generally don't let your network opponent supply their own font | 12:06:23 |
| emily | but it's still not great | 12:08:02 |
| emily | (oops, this is triage room again) | 12:08:02 |
 Niklas Korz | Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed) | 13:30:12 |
| Niklas Korz | * Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed matomo_5 to matomo) | 13:30:27 |
| Niklas Korz | In reply to @niklaskorz:korz.dev
Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed matomo_5 to matomo) Manual backport: https://github.com/NixOS/nixpkgs/pull/376389 | 13:50:44 |
| 25 Jan 2025 |
|  @mlieberman85:matrix.org left the room. | 04:30:20 |
|  aloisw changed their profile picture. | 10:22:09 |
 hexa | https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 | 13:48:24 |
| hexa | dotlambda Sandro š§ | 13:48:30 |
 Sandro š§ | Well do in an hour or two | 14:14:19 |
 dotlambda | I'm on it. The webvault update requires some manual work | 16:42:43 |
| dotlambda | https://github.com/NixOS/nixpkgs/pull/376765 | 18:08:26 |
| 27 Jan 2025 |
|  Brisingr joined the room. | 02:51:21 |
| Niklas Korz | Backport of a high severity fix, accepted by original PR author a week ago: https://github.com/NixOS/nixpkgs/pull/375532#issuecomment-2605160183 | 16:18:24 |
| 28 Jan 2025 |
|  tomf joined the room. | 00:23:57 |
| tomf | FYI, I see the Woodpecker CI plugin for Nix that's advertised on their site has the author's key in extra-trusted-public-keys. I've raised this as https://github.com/woodpecker-ci/woodpecker/issues/4785 | 00:25:06 |
| tomf | If Woodpecker is popular, it might be nice if that project ends up in nix-community. | 00:26:30 |
 adamcstephens | Thatās a third party project and not really something for us to fix.Ā You already reported in their repo so I guess thatās all to be done? Itās a pretty simple plugin if you look through the code, and woodpecker can also run with a local backend allowing access to nix without dockerĀ | 00:30:43 |
| tomf | Yes, I mentioned it as an FYI to the channel, rather than email to security team because I see it's outside of the team's control/responsibility. I'll keep on top of the issues. | 00:31:29 |
| adamcstephens | Having woodpecker remove it from their list seems reasonableĀ | 00:31:48 |
| hexa | we don't ship any 3rd party woodpecker plugins? | 00:32:02 |
| adamcstephens | We ship the required git plugin and apparently one for transforming from other CI definitionsĀ | 00:33:20 |
| adamcstephens | Most plugins are docker containers that are pulled on demandĀ | 00:34:34 |
| 30 Jan 2025 |
| hexa | https://www.openwall.com/lists/oss-security/2025/01/29/1 bind9 globin | 00:22:28 |
| hexa | globin: you last touched this package in 2019, can you please update your maintainership? | 00:23:52 |
