| 2 Jun 2026 |
 dotlambda | and https://github.com/NixOS/nixpkgs/pull/524507 | 15:27:32 |
|  monokles joined the room. | 16:10:45 |
| 3 Jun 2026 |
 Samuel Dionne-Riel | the following PRs may need to be labeled with the security label:
- https://github.com/NixOS/nixpkgs/pull/468076
- https://github.com/NixOS/nixpkgs/pull/514056
- https://github.com/NixOS/nixpkgs/pull/507810
| 21:06:44 |
| 4 Jun 2026 |
 Emil Thorsøe | wow, openvpn has been marginally vulnerable since 2026-04-22 | 03:46:53 |
|  Echo changed their profile picture. | 04:23:41 |
 K900 | libinput RCE-ish: https://gitlab.freedesktop.org/libinput/libinput/-/releases/1.31.3 | 06:54:31 |
| K900 | Will do a PR in a bit | 06:54:37 |
| K900 | https://github.com/NixOS/nixpkgs/pull/527861 | 07:07:08 |
| K900 | (don't merge yet, waiting for 26.05 backport for previous update) | 07:07:34 |
|  arias 🏳️⚧️ joined the room. | 21:50:55 |
| 5 Jun 2026 |
 stigo | https://github.com/NixOS/nixpkgs/pull/528021 <- perl issues | 10:46:52 |
|  Jonas Chevalier left the room. | 11:40:58 |
| 6 Jun 2026 |
 hexa | https://seclists.org/oss-sec/2026/q2/822 freetype | 01:20:35 |
 whispers [& it/fae] | ^ attempt at https://github.com/NixOS/nixpkgs/pull/528652 | 03:54:33 |
| Emil Thorsøe | Can you elaborate on RCE, I see local privilege escalation? | 04:24:23 |
| K900 | I can't read | 07:35:06 |
| 7 Jun 2026 |
 arcayr | i think the apache team figure cve-2026-49975 isn't worth a proper release, so my pr with the debian patches for it is probably going to be it for a while | 02:31:14 |
| arcayr | are we okay to fetchpatch2 from debian directly or would it be preferred to host the patches | 02:31:25 |
| arcayr | i originally hosted them but figured it looks a bit more reliable and legitimate if they're actually from debian, idk | 02:31:57 |
| arcayr | * | 02:32:06 |
| arcayr | * | 02:32:13 |
| hexa | fetchpatch is fine | 02:37:47 |
 vcunat | From Debian you probably fetchurl, as they have it as a *file* in git. | 05:56:37 |
| 9 Jun 2026 |
| hexa | Markus Theil are you doing the openssl updates? and 4.0? | 12:05:38 |
| 10 Jun 2026 |
| arcayr | https://github.com/NixOS/nixpkgs/pull/530173 2.4.67 -> 2.4.68. killed my prev patch. also adds me back to maintainers.nix because nobody else is maintaining apache. | 01:55:05 |
|  Hugo joined the room. | 13:42:05 |
 tgerbet | I already had opened https://github.com/NixOS/nixpkgs/pull/529675 but let's go with your if you had yourself as the maintainer :)
(Also please it's helpful if PRs with security fixes have the security label + the backport labels) | 18:23:34 |
| 11 Jun 2026 |
| arcayr | don't think i could label stuff until now, i tried previously to tag something else as security and couldn't. | 02:30:37 |
| arcayr | guessing it's because i wasn't in the org. | 02:30:41 |
| arcayr | previous apache patch actually is what i tried to tag | 02:30:56 |
