| 24 Jan 2025 |
 Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | update: Not really fixable; SDL2_ttf exists and fixes these vulnerabilities, the newest SDL1-based SDL_ttf is vulnerable. So even if we update from the current version (2.0.11, released in 2013) to the newest (2.0.18, released in 2022) this wouldn't actually fix the vuln. So i suppose the correct way is to update the depoendents instead? | 11:43:02 |
| Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | * update: Not really fixable; SDL2_ttf exists and fixes these vulnerabilities, the newest SDL1-based SDL_ttf is vulnerable. So even if we update from the current version (2.0.11, released in 2013) to the newest (2.0.18, released in 2022) this wouldn't actually fix the vuln. So i suppose the correct way is to update the dependents instead? | 11:43:08 |
 emily | we should really drop sdl1 | 11:51:58 |
| emily | just mark it known vulnerable for now | 11:52:44 |
| Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | This has the sideeffect of breaking all appimage-based packages. Now i do hate appimage, but we shouldn't break them. https://github.com/NixOS/nixpkgs/blame/defe5870670e9fe4d0a8a04e0e58ec60c7745bb1/pkgs/build-support/appimage/default.nix#L183C7-L183C14 lists it as included in the appimage environment, but that is 6 years old and the linked exclude list does not list anything related to sdl anymore. Do i just drop SDL1 ttf from appimage FHS? | 11:55:20 |
| Grimmauld (moving to @grimmauld:grapevine.grimmauld.de) | * This has the sideeffect of breaking all appimage-based packages. Now i do hate appimage, but we shouldn't break them. https://github.com/NixOS/nixpkgs/blame/defe5870670e9fe4d0a8a04e0e58ec60c7745bb1/pkgs/build-support/appimage/default.nix#L183C7-L183C14 lists it as included in the appimage environment, but that is 6 years old and the linked exclude list does not list anything related to sdl anymore. Do i just drop SDL1 things from appimage FHS? | 11:55:56 |
| emily | IMO just drop SDL1 from there in general, highly doubt anything we package as an appimage needs it. (continue in the security discussions room?) | 11:56:42 |
 tgerbet | Debian tracker lists the commit introducing the issue https://security-tracker.debian.org/tracker/CVE-2022-27470
Might want to check if it really impacts SDL1, I'm on mobile it is annoying to do
(But yeah dropping old stuff like that is needed) | 12:04:33 |
| emily | I think the answer to "is a 90s-vintage TTF-handling library from a previous deprecated major version vulnerable to malicious TTF files" is "yes", no code diving required | 12:06:08 |
| emily | thankfully in most usecases that's going to be a wrong-side-of-the-airtight-hatchway thing; games generally don't let your network opponent supply their own font | 12:06:23 |
| emily | but it's still not great | 12:08:02 |
| emily | (oops, this is triage room again) | 12:08:02 |
 Niklas Korz | Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed) | 13:30:12 |
| Niklas Korz | * Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed matomo_5 to matomo) | 13:30:27 |
| Niklas Korz | In reply to @niklaskorz:korz.dev
Matomo 5.2.2 has "several high-impact security fixes": https://github.com/NixOS/nixpkgs/pull/376385
PR for release-24.11 following in a moment, automatic backport won't work atm because the package has been refactored in master and I'm still working on manually backporting those changes as well (also non-trivial because we dropped matomo 4 in unstable and renamed matomo_5 to matomo) Manual backport: https://github.com/NixOS/nixpkgs/pull/376389 | 13:50:44 |
| 25 Jan 2025 |
|  @mlieberman85:matrix.org left the room. | 04:30:20 |
|  aloisw changed their profile picture. | 10:22:09 |
 hexa | https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 | 13:48:24 |
| hexa | dotlambda Sandro 🐧 | 13:48:30 |
 Sandro 🐧 | Well do in an hour or two | 14:14:19 |
 dotlambda | I'm on it. The webvault update requires some manual work | 16:42:43 |
| dotlambda | https://github.com/NixOS/nixpkgs/pull/376765 | 18:08:26 |
| 27 Jan 2025 |
|  Brisingr05 joined the room. | 02:51:21 |
| Niklas Korz | Backport of a high severity fix, accepted by original PR author a week ago: https://github.com/NixOS/nixpkgs/pull/375532#issuecomment-2605160183 | 16:18:24 |
| 28 Jan 2025 |
|  tomf joined the room. | 00:23:57 |
| tomf | FYI, I see the Woodpecker CI plugin for Nix that's advertised on their site has the author's key in extra-trusted-public-keys. I've raised this as https://github.com/woodpecker-ci/woodpecker/issues/4785 | 00:25:06 |
| tomf | If Woodpecker is popular, it might be nice if that project ends up in nix-community. | 00:26:30 |
 adamcstephens | That’s a third party project and not really something for us to fix. You already reported in their repo so I guess that’s all to be done? It’s a pretty simple plugin if you look through the code, and woodpecker can also run with a local backend allowing access to nix without docker | 00:30:43 |
| tomf | Yes, I mentioned it as an FYI to the channel, rather than email to security team because I see it's outside of the team's control/responsibility. I'll keep on top of the issues. | 00:31:29 |
