| 8 Jun 2021 |
 hexa | https://github.com/NixOS/nixpkgs/pull/126271 | 21:31:55 |
| hexa | this is not a proper fix, since it introduces a regression into the release | 21:34:07 |
| hexa | but fixing up p11-kit/cacert is going to take a while | 21:34:17 |
| hexa | https://nvd.nist.gov/vuln/detail/CVE-2021-20201 | 22:58:16 |
| hexa | fixed in spice >= 0.14.92, which is not a public release yet | 22:58:40 |
| hexa | https://nvd.nist.gov/vuln/detail/CVE-2020-14355 | 22:59:29 |
| hexa | fixed in spice-gtk >= 0.14.2-1, no public release yet | 22:59:49 |
| 9 Jun 2021 |
| hexa | https://github.com/NixOS/nixpkgs/pull/126291 | 01:34:44 |
 pennae | oh nice, 5th-gen doesn't get updates? :D | 01:52:11 |
|  kranzes left the room. | 13:31:32 |
|  scr1bbles joined the room. | 14:11:15 |
| 10 Jun 2021 |
|  Ekleog joined the room. | 16:25:29 |
| hexa | yeah, I guess our capability of delivering security fixes through staging is fckd because of a lack of darwin builders | 20:15:21 |
| hexa | * yeah, I guess our ability of delivering security fixes through staging is fckd because of a lack of darwin builders | 20:16:15 |
 Sandro | Demote Darwin to level 2? | 21:26:08 |
 Alyssa Ross | x86_64-darwin is tier 2 already | 21:27:09 |
| 11 Jun 2021 |
| hexa | https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ | 00:00:29 |
|  mkg20001 joined the room. | 05:46:14 |
 andi- | Thankfully nobody has mutable users, right? | 08:10:29 |
 Linux Hackerman | Pretty sure there are many other ways to get root via polkit :) | 08:24:22 |
 Henson | because the fix for the polkit bug (https://github.com/NixOS/nixpkgs/pull/125554) is in the form of a patch without any change to the package version string, is there any way for someone to tell whether a particular system has this fix or not? | 11:30:54 |
| pennae | you could check the package version and the store hash that provides the running polkit | 11:32:44 |
| Henson | but the package version will just be 0.118 both with and without the fix, right? | 11:34:11 |
 Synthetica | we should really have a canonical way of denoting security patches | 11:35:24 |
| pennae | Henson: yeah, but the store hash will be different (and only one of them will be vulnerable) | 11:35:46 |
| pennae | would be better to have a marker though | 11:35:58 |
| Henson | pennae: yes, to tell from the store hash you'd have to download a known fixed version and compare the hash. And if they're different, that doesn't necessarily mean the other one is vulnerable, as the store hash could change based on some other non-patch-related build dependency of polkit | 11:37:20 |
| pennae | true, that way you can only really identify something that is for-sure broken | 11:39:00 |
| Sandro | I have a better idea:
cat /nix/var/nix/profiles/per-user/$USER/channels/nixos/.version-suffix | cut -d. -f2 and then check if that short hash includes the commit you need
| 11:40:28 |
| Sandro | pretty easy and uses existing stuff we already have | 11:40:47 |
