| 24 Jan 2025 |
 Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | * update: Not really fixable; SDL2_ttf exists and fixes these vulnerabilities, the newest SDL1-based SDL_ttf is vulnerable. So even if we update from the current version (2.0.11, released in 2013) to the newest (2.0.18, released in 2022) this wouldn't actually fix the vuln. So i suppose the correct way is to update the dependents instead? | 11:43:08 |
 emily | we should really drop sdl1 | 11:51:58 |
| emily | just mark it known vulnerable for now | 11:52:44 |
| Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | This has the sideeffect of breaking all appimage-based packages. Now i do hate appimage, but we shouldn't break them. https://github.com/NixOS/nixpkgs/blame/defe5870670e9fe4d0a8a04e0e58ec60c7745bb1/pkgs/build-support/appimage/default.nix#L183C7-L183C14 lists it as included in the appimage environment, but that is 6 years old and the linked exclude list does not list anything related to sdl anymore. Do i just drop SDL1 ttf from appimage FHS? | 11:55:20 |
| Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | * This has the sideeffect of breaking all appimage-based packages. Now i do hate appimage, but we shouldn't break them. https://github.com/NixOS/nixpkgs/blame/defe5870670e9fe4d0a8a04e0e58ec60c7745bb1/pkgs/build-support/appimage/default.nix#L183C7-L183C14 lists it as included in the appimage environment, but that is 6 years old and the linked exclude list does not list anything related to sdl anymore. Do i just drop SDL1 things from appimage FHS? | 11:55:56 |
| emily | IMO just drop SDL1 from there in general, highly doubt anything we package as an appimage needs it. (continue in the security discussions room?) | 11:56:42 |
 tgerbet | Debian tracker lists the commit introducing the issue https://security-tracker.debian.org/tracker/CVE-2022-27470
Might want to check if it really impacts SDL1, I'm on mobile it is annoying to do
(But yeah dropping old stuff like that is needed) | 12:04:33 |
