| 10 Dec 2024 |
 Niklas Korz | backport to 24.05 is still open: https://github.com/NixOS/nixpkgs/pull/363869 | 19:29:14 |
 hexa | Niklas Korz: I browsed the matomo changelog and commit log a bit, but I didn't find anything on whether matomo 4.x is affected | 21:07:54 |
| hexa | and since matomo defaults to 4.16.1 on nixos-24.05 we must know or else | 21:12:12 |
| hexa | ugh, same for nixos-24.11? 🫠 | 21:12:43 |
| hexa | 5.0 was released in 2023-12 — WHYYYYY | 21:13:44 |
| hexa | https://endoflife.date/matomo | 21:13:59 |
| hexa | LTS support ends in 9 days | 21:14:11 |
| hexa | 👏 | 21:14:17 |
| Niklas Korz | yeah I was surprised about that as well 😅 | 21:24:35 |
| hexa | we need some kind of remediation here | 21:24:56 |
| hexa | worst case we mark 4.x as knownvulnerable and make people migrate to 5 | 21:25:14 |
| hexa | * worst case we mark 4.x as knownvulnerable "eol" and make people migrate to 5 | 21:25:22 |
| 11 Dec 2024 |
 Scrumplex | https://github.com/NixOS/nixpkgs/pull/364160
https://curl.se/docs/CVE-2024-11053.html | 08:09:30 |
| hexa | https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ | 16:00:02 |
| hexa | xanderio, leona ^ | 16:01:05 |
| hexa | Redacted or Malformed Event | 16:01:47 |
| hexa | I'm too slow 🙂 | 16:01:49 |
 leona | In reply to @hexa:lossy.network
https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ there are already two open PRs for that: https://github.com/NixOS/nixpkgs/pull/364213 https://github.com/NixOS/nixpkgs/pull/364219 (24.05 as 'hotter' fix) | 16:01:52 |
|  @stick:matrix.org left the room. | 18:36:40 |
|  fernsehmuell (☎️ 3376 he/him) changed their display name from fernsehmuell to fernsehmuell (he/his) DECT: 3376 (fern). | 18:57:11 |
| 12 Dec 2024 |
| Niklas Korz | unless someone's already on it, I'd create two (or three) PRs today:
- unstable: move
matomo to 5.1.2 and alias matomo_5 to matomo (+ release notes)
- 24.11: add knownVulnerabilities to
matomo about EOL and recommend an upgrade to matomo_5 (+ release notes)
- same for 24.05 or should it be skipped because it's EOL in three weeks?
| 08:30:47 |
 tgerbet | Ideally same for 24.05 | 08:33:49 |
 Sandro 🐧 | If we only would build packages with knowVulnerabilities then we wouldn't need to weigh usability and security against each other | 09:50:42 |
| Niklas Korz | as someone relying on a handful of libolm based services and applications, I tend to agree | 10:05:17 |
 Frank Lanitz | All software is full of unfixed, known issues ;) | 10:09:19 |
 syd installs gentoo (they/them) | Reminder there is also #security-discuss:nixos.org (though I can't join the channel for some reason) | 10:15:55 |
|  Ahurac left the room. | 10:16:08 |
|  ·☽•Nameless☆•777 · ± changed their profile picture. | 14:33:59 |
| Niklas Korz |
- unstable: https://github.com/NixOS/nixpkgs/pull/364627
- 24.11: https://github.com/NixOS/nixpkgs/pull/364633
- 24.05: https://github.com/NixOS/nixpkgs/pull/364642
| 16:17:22 |
|  @metanoic:matrix.org left the room. | 19:06:45 |
