| 8 Dec 2024 |
|  shawn8901 set a profile picture. | 19:21:34 |
| 9 Dec 2024 |
 Tomodachi94 (they/them) | https://matrix.to/#/#dev:nixos.org/$1QE9j5UPzFb-qL02MAvSbSzX-0UspFEc5FBEtqH8y8s | 23:33:10 |
| Tomodachi94 (they/them) | This Matomo update has a "high impact security fix" that came out more than two months ago: > https://github.com/NixOS/nixpkgs/pull/363621
| 23:33:27 |
| Tomodachi94 (they/them) | This Matomo update has a "high impact security fix" that came out more than two months ago: https://github.com/NixOS/nixpkgs/pull/363621
| 23:33:32 |
| Tomodachi94 (they/them) | (oh, nevermind, already merged) | 23:33:53 |
| 10 Dec 2024 |
|  Niklas Korz joined the room. | 19:28:21 |
| Niklas Korz | backport to 24.05 is still open: https://github.com/NixOS/nixpkgs/pull/363869 | 19:29:14 |
 hexa | Niklas Korz: I browsed the matomo changelog and commit log a bit, but I didn't find anything on whether matomo 4.x is affected | 21:07:54 |
| hexa | and since matomo defaults to 4.16.1 on nixos-24.05 we must know or else | 21:12:12 |
| hexa | ugh, same for nixos-24.11? 🫠 | 21:12:43 |
| hexa | 5.0 was released in 2023-12 — WHYYYYY | 21:13:44 |
| hexa | https://endoflife.date/matomo | 21:13:59 |
| hexa | LTS support ends in 9 days | 21:14:11 |
| hexa | 👏 | 21:14:17 |
| Niklas Korz | yeah I was surprised about that as well 😅 | 21:24:35 |
| hexa | we need some kind of remediation here | 21:24:56 |
| hexa | worst case we mark 4.x as knownvulnerable and make people migrate to 5 | 21:25:14 |
| hexa | * worst case we mark 4.x as knownvulnerable "eol" and make people migrate to 5 | 21:25:22 |
| 11 Dec 2024 |
 Scrumplex | https://github.com/NixOS/nixpkgs/pull/364160
https://curl.se/docs/CVE-2024-11053.html | 08:09:30 |
| hexa | https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ | 16:00:02 |
| hexa | xanderio, leona ^ | 16:01:05 |
| hexa | Redacted or Malformed Event | 16:01:47 |
| hexa | I'm too slow 🙂 | 16:01:49 |
 leona | In reply to @hexa:lossy.network
https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ there are already two open PRs for that: https://github.com/NixOS/nixpkgs/pull/364213 https://github.com/NixOS/nixpkgs/pull/364219 (24.05 as 'hotter' fix) | 16:01:52 |
|  prusnak left the room. | 18:36:40 |
|  fernsehmuell (☎️ 3376 he/him) changed their display name from fernsehmuell to fernsehmuell (he/his) DECT: 3376 (fern). | 18:57:11 |
| 12 Dec 2024 |
| Niklas Korz | unless someone's already on it, I'd create two (or three) PRs today:
- unstable: move
matomo to 5.1.2 and alias matomo_5 to matomo (+ release notes)
- 24.11: add knownVulnerabilities to
matomo about EOL and recommend an upgrade to matomo_5 (+ release notes)
- same for 24.05 or should it be skipped because it's EOL in three weeks?
| 08:30:47 |
 tgerbet | Ideally same for 24.05 | 08:33:49 |
 Sandro | If we only would build packages with knowVulnerabilities then we wouldn't need to weigh usability and security against each other | 09:50:42 |
| Niklas Korz | as someone relying on a handful of libolm based services and applications, I tend to agree | 10:05:17 |
