| 17 Mar 2026 |
 hexa | * https://seclists.org/oss-sec/2026/q1/331 expat | 21:09:21 |
| 18 Mar 2026 |
 Markus Theil | Botan had a new release these days. I don't really know if any packages use TLS from Botan or just crypto operations like hashing, encryption/decryption. The security relevant changes touch OCSP handling and parallel signatures with e.g. ML-DSA.
https://botan.randombit.net/news.html#version-3-11-0-2026-03-15
https://github.com/NixOS/nixpkgs/pull/500384 | 08:13:02 |
| Markus Theil | OpenSSL also will release new version in the following weeks: https://openssl-library.org/news/secadv/20260313.txt (sry, if this was already posted here.) | 08:15:35 |
| Markus Theil | * OpenSSL also will release new versions in the following weeks: https://openssl-library.org/news/secadv/20260313.txt (sry, if this was already posted here.) | 08:15:43 |
|  曜日 joined the room. | 20:32:49 |
| 19 Mar 2026 |
 uep | https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b | 09:54:37 |
| uep | CVSS 10 | 09:54:59 |
 Tom | https://github.com/NixOS/nixpkgs/pull/501181 | 10:05:08 |
| hexa | https://github.com/wolfSSL/wolfssl/releases/tag/v5.9.0-stable | 12:55:16 |
|  Miles Dyson set a profile picture. | 18:06:11 |
| 20 Mar 2026 |
|  Evrim Ulu joined the room. | 02:42:18 |
 flx | https://github.com/NixOS/nixpkgs/pull/501042 | 11:37:01 |
 niklaskorz | https://github.com/NixOS/nixpkgs/pull/501606 | 11:57:19 |
 emily | uh, going by that blog post maybe we should just be slapping knownVulnerabilities on this thing or removing it... | 12:03:08 |
| emily | I guess if there's no known compromise in the previous version... | 12:04:25 |
 blitz | at least the knownVulnerabilites would be good to warn people that this thing is f***ed | 16:04:34 |
| blitz | * | 16:04:39 |
| 曜日 | @delroth:delroth.net — Greetings, do forgive the intrusion.
There is a line from your security wishlist that has stayed with me — that Hydra attestation was dependent on other projects to actually be useful. One of those projects may now exist.
The first is already built. https://github.com/eouzoe/Apeiron
Apeiron is a deterministic execution fabric — builds run inside Firecracker microVMs,
defined by Nix-hermetic closures. The build environment is sealed.
Every output is a cryptographic consequence of its inputs, and nothing else.
The question of whether the environment itself was clean is a different problem.
That is what comes next.
An observer at the kernel layer — eBPF LSM inside the boundary, watching at syscall level as execution happens. Signing takes place outside the hypervisor. A compromised guest cannot revise what the kernel recorded. The design is complete. What remains is building it.
If any of this is of interest, I would welcome a conversation. | 17:36:44 |
| 曜日 set a profile picture. | 17:37:26 |
 vcunat | expat: https://github.com/NixOS/nixpkgs/pull/501685 | 17:41:39 |
 raitobezarius | you should DM delroth directly, he's not involved in the NixOS project anymore | 17:43:02 |
| raitobezarius | (also discussions not here) | 17:43:10 |
| 曜日 | My apologies for the confusion. I had only meant to share the project here — though I came across a wishlist that seemed to align rather closely with what it does, and one thing led to another. | 17:54:20 |
| 曜日 | Apologies — should I take this to #security:nixos.org instead? | 17:55:05 |
| 曜日 | * Apologies — should I take this to #security-discuss:nixos.org instead? | 17:55:17 |
 ElvishJerricco | https://github.com/NixOS/nixpkgs/pull/501701 fixing a vuln in https://github.com/NixOS/nixpkgs/pull/493445 that is presently on master | 18:38:59 |
| ElvishJerricco | need to make sure it doesn't hit unstable. It's already on unstable-small | 18:40:19 |
 dotlambda | not sure what to do about https://github.com/NixOS/nixpkgs/issues/500142 on 25.11 | 18:43:45 |
| dotlambda | https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 doesn't apply cleanly | 18:44:18 |
| ElvishJerricco | K900, vcunat: do we need to cancel an unstable eval or anything like that to keep this from hitting unstable? I suspect it impacts a significant portion of boot.initrd.secrets users. | 19:10:05 |
