| 6 May 2026 |
 arcayr | https://github.com/NixOS/nixpkgs/pull/517132 apacheHttpd 2.4.66 -> 2.4.67 fixing cve-2026-23918 - https://httpd.apache.org/security/vulnerabilities_24.html / https://www.cve.org/CVERecord?id=CVE-2026-23918 | 04:52:22 |
 vcunat | weblate is in need of backport to 25.11, in case anyone's interested.
https://github.com/NixOS/nixpkgs/pull/510728#issuecomment-4386087895 | 08:31:12 |
|  lgian joined the room. | 09:15:35 |
 dish [Fox/It/She] | Not critical but someone seems to be trying to do weird exfil backdoor attacks on nixpkgs via CI, see https://github.com/NixOS/nixpkgs/pull/517354 | 16:24:30 |
| dish [Fox/It/She] | afaik none of this works but i could be wrong so bringing it up here for visibility | 16:24:40 |
| dish [Fox/It/She] | (it also seems to be using a very very expired webhook for exfil so i dont think this works anyways) | 16:25:55 |
 Alyssa Ross | I reported the account to GitHub. An org owner could also block them from the org. | 16:29:05 |
 Winter | ^ handling | 16:30:26 |
 tgerbet | Yeah they abuse a bunch of other repositories
I have spotted one where they got some success, I'm reaching out to them | 16:31:30 |
|  codec joined the room. | 16:33:12 |
 hexa | same | 17:42:41 |
| hexa | blocked | 17:43:32 |
|  averyv joined the room. | 19:06:21 |
| averyv | Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet so we can get the vuln fixed and refactor later? | 19:17:01 |
 kuflierl | Interesting attack. But i am quite sure that we do not build, only eval in ci and send stuff to hydra where github tokens are non-existant | 19:17:02 |
| kuflierl | * Interesting attack. But i am quite sure that we do not build, only eval in ci and send builds to hydra where github tokens are non-existant | 19:17:52 |
| averyv | * Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet for the PR so we can get the vuln fixed and refactor later? | 19:18:04 |
| Winter | we do not send ANYTHING to hydra from github ci. | 19:24:44 |
| hexa | tangential https://docs.lix.systems/manual/lix/stable/installation/multi-user.html#the-lix-daemon-as-a-security-non-boundary | 19:25:55 |
| kuflierl | Is this outdated information? i remember seing seeing my changes in the hydra build queue for days until hydra picks it up | 19:26:32 |
| kuflierl | It was used more before we switched somewhat to github actions | 19:26:57 |
 leona | GHA is not involved in this process. | 19:27:08 |
 jappie | the nixpkgs-vet errors in question say that the package should be added under pkgs/by-name & that __structuredAttrs should be enabled, is there a reason why you can't ask the author of the PR to do these things? if they're unresponsive, you can open a new PR & amend their work
also, I think this discussion is more suited for https://matrix.to/#/#dev:nixos.org, this channel is for triaging security issues | 19:27:31 |
| kuflierl | Elaborate | 19:27:58 |
| jappie | maybe elaborate in #NixOS Security Discussions :p | 19:28:43 |
| jappie | maybe elaborate in #NixOS Security Discussions or the CI channel or something :p | 19:28:54 |
| 7 May 2026 |
 mdaniels5757 | Are you thinking of Ofborg? | 01:55:11 |
| mdaniels5757 | * kuflierl: Are you thinking of Ofborg? | 01:55:31 |
| vcunat | hydra.nixos.org only reads the git repo (some particular branches). There's no other interaction with GitHub. | 06:38:17 |
| vcunat | Well, the machine doing channel updates then moves those branches in the git repo, but that's tangential here. | 06:38:46 |
