| 18 Jun 2021 |
 Las | * I don't think there is any other solution | 18:37:10 |
| Las | it's just used like a normal library now | 18:37:19 |
 hexa | might be true, I didn't have time to check | 18:37:48 |
| hexa | have to grab some food before the supermarkets close now | 18:38:03 |
| Las | I made a PR BTW | 18:39:01 |
| Las | Untested since I don't use connman | 18:39:07 |
| hexa | requested two reviewers that previously did reviews/changes | 19:27:07 |
| 19 Jun 2021 |
|  Cannon joined the room. | 00:19:14 |
|  nf joined the room. | 06:47:24 |
| hexa | crossposting here: https://github.com/NixOS/nixpkgs/pull/127453 | 13:21:53 |
| hexa | reintroducing certifi with a 2019 version isn't a great idea, but it apparently is required for nixops to continue working | 13:22:26 |
| hexa | I insist that it should be marked with knownVulnerablities and added a commit to that end, so that if it should go in, the problem would be glaringly obvious to any user. | 13:23:02 |
| Cannon changed their display name from NixCannon to Cannon. | 15:51:54 |
| Cannon changed their profile picture. | 15:53:06 |
| Cannon left the room. | 16:14:01 |
|  putchar joined the room. | 17:16:08 |
 Sandro | Why is NixOS/nixops-committers not a real team? | 18:27:20 |
| hexa | not really a security related question, is it? | 18:29:08 |
| Sandro | I wanted to assign them to the PR above | 18:35:52 |
| hexa | talk to one of the project owners then, domen, zimbatm | 18:44:26 |
| 20 Jun 2021 |
 Ekleog | meh, can anyone describe me an actual threat model for shipping an expirated certificate store? | 18:58:09 |
| Ekleog | I mean we definitely shouldn't do it if we can avoid it, but IMO it's not at all worth a knownVulnerabilities | 18:58:34 |
| Ekleog | (haven't investigated this specific case though, just the text in knownVulnerabilities in the PR above) | 18:59:22 |
| Ekleog | and using knownVulnerabilities too often makes people much more used to working around it so IMO unless there's another motivation not listed yet, adding knownVulnerabilities in this specific case would be a net negative for security for NixOS | 19:01:29 |
| Ekleog | (commented on the PR with more details so the conversation is actually logged somewhere) | 19:09:00 |
| hexa | I don't think it's a good to eval at every step whether the mozilla trust store does a revert here and there | 19:12:16 |
| hexa | there won't be any security bulletins about this | 19:12:30 |
| hexa | the abstract threat model would be a reverted certificate gets accepted, because the revert happened between 2019..today | 19:13:14 |
| hexa | * there likely won't be any security bulletins about this | 19:16:23 |
| hexa | * there likely won't be any security bulletins about this, certainly no CVE | 19:16:33 |
