| 4 Apr 2024 |
|  Alison Jenkins joined the room. | 14:21:18 |
| Alison Jenkins | Hey everyone, while updating my MacOS system from my nix flake I had Bitdefender for Mac flag a file called test.exe in the Zig 0.11 derivation as a virus. Could well be a false positive but thought I should report it just in case someone is trying to pull an XZ on the Zig project: 4 Apr 2024 at 15:16 Gen:Variant.Lazy.502457 deleted /private/tmp/nix-build-zig-0.11.0.drv-0/source/zig-cache/o/42a1c6e5938d8a1afeef6a9fba4fb62f/test.exe | 14:23:28 |
 K900 | I'm pretty sure that's a compiler artifact | 14:24:03 |
 raitobezarius | Alison Jenkins: can you go to the zig project directly and report this? zig developers uses Nix | 16:13:16 |
| raitobezarius | so they can chime in directly and pinpoint the potential problem | 16:13:22 |
| raitobezarius | https://framapiaf.org/@peertube/112213265816046276 | 17:27:40 |
 tgerbet | https://github.com/NixOS/nixpkgs/pull/301604 | 17:57:02 |
|  @falaichte:techsaviours.org joined the room. | 19:55:04 |
| 6 Apr 2024 |
|  @mop4987:matrix.org left the room. | 21:03:22 |
|  @tpw_rules:matrix.org left the room. | 21:21:12 |
 @a-n-n-a-l-e-e:matrix.org | hello -- i deleted my github account today due to being angry at some dumpster fire of a PR i got involved with. anyway, some of my other work is now being questioned about me being part of the xz conspiracy https://github.com/NixOS/nixpkgs/pull/301252 i recognize the suspicion but that was just due to the work of cleaning up segfaults and libc++abi / libc++ stuff from LLVM. | 22:55:54 |
| @a-n-n-a-l-e-e:matrix.org | and cleaning up old LLVMs. | 22:56:56 |
| @a-n-n-a-l-e-e:matrix.org | i wish i could get that time back... | 22:57:42 |
 ris_ | oh dear 😆 | 23:12:39 |
| @a-n-n-a-l-e-e:matrix.org | i knew getting involved in the PR was a mistake last week but i did it anyway. | 23:13:47 |
| @a-n-n-a-l-e-e:matrix.org | * i knew getting involved in the PR was a mistake last week but i did it anyway. (https://github.com/NixOS/nixpkgs/pull/294347) | 23:15:22 |
| ris_ | the RFC process to get meta.sourceProvenance took me a year, and then when I tried to implement it, someone popped up and tried to make me redesign it | 23:16:39 |
| ris_ | so i sympathize, it's stressful | 23:19:09 |
 hexa | Hey, I'm sorry that it had to come to this. If you had encountered problems earlier I would hope moderation could've helped | 23:20:02 |
| raitobezarius | I'm sorry for that, thank you for all your contributions. | 23:31:54 |
 @janik0:matrix.org | In reply to @a-n-n-a-l-e-e:matrix.org
hello -- i deleted my github account today due to being angry at some dumpster fire of a PR i got involved with. anyway, some of my other work is now being questioned about me being part of the xz conspiracy https://github.com/NixOS/nixpkgs/pull/301252 i recognize the suspicion but that was just due to the work of cleaning up segfaults and libc++abi / libc++ stuff from LLVM. sad to see you go, takae your time and enjoy life. | 23:38:29 |
| 7 Apr 2024 |
 nyanbinary | In reply to @a-n-n-a-l-e-e:matrix.org
i knew getting involved in the PR was a mistake last week but i did it anyway. (https://github.com/NixOS/nixpkgs/pull/294347) Oh what exactly was the tipping point? :< | 02:24:23 |
 ネコ | oh, i was wondering what happened... | 02:35:33 |
|  @fl1tzi:matrix.fl1tzi.com left the room. | 12:29:14 |
| @a-n-n-a-l-e-e:matrix.org | thanks. though the member who was making backhanded comments about my incompetence and lack of professionalism is a member of the moderation team, to my understanding. | 14:59:05 |
| hexa | can you point out details in a DM? | 15:00:13 |
| 8 Apr 2024 |
|  Levi changed their display name from levigross to Levi. | 03:38:37 |
 @mtheil:scs.ems.host | botan2 and botan3 had bug fix releases roughly a month ago. I made a combined PR some weeks ago, but was not able to debug the failing build of monotone with botan2 on MacOS myself. So I split this PR into a another one for botan2.
- botan3: https://github.com/NixOS/nixpkgs/pull/298669
- botan2: https://github.com/NixOS/nixpkgs/pull/302530
Is someone willing to step in for debugging the failing botan2 build on MacOS or can provide me some debugging hints for debugging from a Linux-based system with ofborg in the CI?
| 09:51:18 |
| @mtheil:scs.ems.host | * botan2 and botan3 had bug fix releases roughly a month ago. I made a combined PR some weeks ago, but was not able to debug the failing build of monotone with botan2 on MacOS myself. So I split this PR into another one for botan2.
- botan3: https://github.com/NixOS/nixpkgs/pull/298669
- botan2: https://github.com/NixOS/nixpkgs/pull/302530
Is someone willing to step in for debugging the failing botan2 build on MacOS or can provide me some debugging hints for debugging from a Linux-based system with ofborg in the CI?
| 09:51:40 |
| @mtheil:scs.ems.host |
OpenSSL Security Advisory [8th April 2024]
==========================================
Unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)
========================================================================
Severity: Low
Issue summary: Some non-default TLS server configurations can cause unbounded
memory growth when processing TLSv1.3 sessions
Impact summary: An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is
being used (but not if early_data support is also configured and the default
anti-replay protection is in use). In this case, under certain conditions, the
session cache can get into an incorrect state and it will fail to flush properly
as it fills. The session cache will continue to grow in an unbounded manner. A
malicious client could deliberately create the scenario for this failure to
force a Denial of Service. It may also happen by accident in normal operation.
This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
clients.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.
OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue.
OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released.
OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released
(premium support customers only).
Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit e9d7083e (for 3.2),
commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git
repository. It is available to premium support customers in commit
5f8d2577 (for 1.1.1).
This issue was reported on 27th February 2024 by Manish Patidar (Hewlett Packard
Enterprise). The fix was developed by Matt Caswell.
| 15:17:20 |
