| 6 May 2026 |
|  codec joined the room. | 16:33:12 |
 hexa | same | 17:42:41 |
| hexa | blocked | 17:43:32 |
|  averyv joined the room. | 19:06:21 |
| averyv | Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet so we can get the vuln fixed and refactor later? | 19:17:01 |
 kuflierl | Interesting attack. But i am quite sure that we do not build, only eval in ci and send stuff to hydra where github tokens are non-existant | 19:17:02 |
| kuflierl | * Interesting attack. But i am quite sure that we do not build, only eval in ci and send builds to hydra where github tokens are non-existant | 19:17:52 |
| averyv | * Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet for the PR so we can get the vuln fixed and refactor later? | 19:18:04 |
 Winter | we do not send ANYTHING to hydra from github ci. | 19:24:44 |
| hexa | tangential https://docs.lix.systems/manual/lix/stable/installation/multi-user.html#the-lix-daemon-as-a-security-non-boundary | 19:25:55 |
| kuflierl | Is this outdated information? i remember seing seeing my changes in the hydra build queue for days until hydra picks it up | 19:26:32 |
| kuflierl | It was used more before we switched somewhat to github actions | 19:26:57 |
 leona | GHA is not involved in this process. | 19:27:08 |
 jappie | the nixpkgs-vet errors in question say that the package should be added under pkgs/by-name & that __structuredAttrs should be enabled, is there a reason why you can't ask the author of the PR to do these things? if they're unresponsive, you can open a new PR & amend their work
also, I think this discussion is more suited for https://matrix.to/#/#dev:nixos.org, this channel is for triaging security issues | 19:27:31 |
| kuflierl | Elaborate | 19:27:58 |
| jappie | maybe elaborate in #NixOS Security Discussions :p | 19:28:43 |
| jappie | maybe elaborate in #NixOS Security Discussions or the CI channel or something :p | 19:28:54 |
| 7 May 2026 |
 mdaniels5757 | Are you thinking of Ofborg? | 01:55:11 |
| mdaniels5757 | * kuflierl: Are you thinking of Ofborg? | 01:55:31 |
 vcunat | hydra.nixos.org only reads the git repo (some particular branches). There's no other interaction with GitHub. | 06:38:17 |
| vcunat | Well, the machine doing channel updates then moves those branches in the git repo, but that's tangential here. | 06:38:46 |
| kuflierl | In reply to @mdaniels5757:matrix.org
Are you thinking of Ofborg? As discussed in Discussions, yes | 19:52:56 |
| hexa | https://github.com/V4bel/dirtyfrag | 19:57:24 |
|  steinbes04 joined the room. | 20:07:55 |
 Jenny | Seems to be related, but exploits other kernel modules: https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo | 21:58:29 |
 raitobezarius | It's the same root cause | 21:59:32 |
|  kybe joined the room. | 22:04:14 |
| kuflierl | https://github.com/NixOS/nixpkgs/pull/517642
Pretty old stuff I just forgot about because the bot didn't notify me | 23:13:39 |
| 8 May 2026 |
|  jopejoe1 changed their display name from jopejoe1 (4094@epvpn) to jopejoe1. | 08:44:11 |
 K900 | https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.206 | 14:49:02 |
