| 25 Mar 2026 |
 Ben Sparks | * as long as no one has the bright idea to bump nixpkgs to said revision on pypi :) | 19:35:07 |
 kirillrdy | its already been yanked from pypi | 19:36:55 |
| 26 Mar 2026 |
 hexa | https://seclists.org/oss-sec/2026/q1/387 libpng | 00:48:39 |
| hexa | Redacted or Malformed Event | 00:48:43 |
 vcunat | It's a huge rebuild, so there's at least one week of time (before starting another staging-next*) | 10:00:27 |
| vcunat | Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious) | 10:01:13 |
| vcunat | * Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious; see the first Impact: section) | 10:02:23 |
|  @meadow_weasel:matrix.org left the room. | 15:04:56 |
 ma27 | glibc security update: https://github.com/NixOS/nixpkgs/pull/503779 | 16:40:27 |
| ma27 | also checking if 25.11 is affected (I think so). can I target -next-25.11 oder rather staging? | 16:41:01 |
| vcunat | -linux is over 40% rebuilt in there, so unless it's critical... | 17:11:44 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's critical, I'd choose staging-25.11. | 17:12:00 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's really urgent, I'd choose staging-25.11. | 17:12:14 |
| vcunat | The description doesn't sound serious to me, at a quick read:
https://sourceware.org/bugzilla/show_bug.cgi?id=34014#c0 | 17:15:27 |
| ma27 | agreed. it's also not even on the 2.40 release branch 🤷 | 17:17:33 |
| vcunat | I honestly don't get it. A prerequisite is that your configured DNS resolver is malicious. And the impact is that answer returned by that resolver is interpreted incorrectly? I guess I'm too tired today? | 17:17:46 |
| 27 Mar 2026 |
 dish [Fox/It/She] | manual backport of the last 3 nats-server releases to fix a few security issues for it on release-25.11 https://github.com/NixOS/nixpkgs/pull/503952 | 04:52:26 |
| dish [Fox/It/She] | (by a few, I mean a lot, there's over 10 issues open from sectracker rn) | 04:52:50 |
| dish [Fox/It/She] | none of the open issues affect master branch since it's on the latest release that has fixes for all known issues that are on nixpkgs' security tracker | 04:55:16 |
| vcunat | I'd say it has security aspects, but no idea about severity:
https://github.com/NixOS/nixpkgs/pull/503869 | 06:20:31 |
| ma27 | grafana security updates: https://github.com/NixOS/nixpkgs/pull/504009, https://github.com/NixOS/nixpkgs/pull/504014 (25.11) | 10:33:43 |
|  Moved to @sashanoraa:matrix.org changed their display name from Sashanoraa.gay (she/her, ze/zir) to Moved to @sashanoraa:matrix.org. | 15:27:45 |
| dish [Fox/It/She] | https://github.com/NixOS/nixpkgs/pull/504174 closes 6 security issues for tandoor-recipes | 17:58:25 |
| 28 Mar 2026 |
 Alyssa Ross | Whether this is an mbedtls security fix depends on how much you trust in ad-hoc identification and workarounds of each instance of a systemic problem, I suppose, but people in here might like to be aware of it https://github.com/NixOS/nixpkgs/pull/504318 | 08:19:38 |
 K900 | Ewwwww | 08:24:30 |
| K900 | That's just UB no? | 08:24:37 |
 emily | https://github.com/wolfSSL/wolfssl/releases/tag/v5.9.0-stable | 18:04:14 |
| emily | three high-severity CVEs and a bunch of others, no PR after ten days 🫠| 18:04:28 |
| emily | it's used in only 9 other packages and I'm about to make that 8. perhaps we should consider dropping. maybe tgerbet has input since he had to do the last update. (but #security-discuss:nixos.org for that ofc) | 18:05:21 |
| emily | oh, very sorry, it was already merged… ignore me | 18:06:26 |
