| 20 May 2023 |
 raitobezarius | The fix has to be done here I guess | 00:10:59 |
| raitobezarius | Turn the "no" into a "warn" if this an insecure exception | 00:12:10 |
| raitobezarius | Actually I wonder if we should not let go this crisis to waste | 00:16:32 |
| raitobezarius | And introduce a willBeEOL flag or something | 00:16:48 |
 hexa | this is piegames territory 😄 | 00:18:23 |
| raitobezarius | Nixpkgs warnings when | 00:18:38 |
| raitobezarius | (in the sense of the RFC) | 00:18:46 |
| hexa | raitobezarius: ruby openssl gem only fails when building gitlab | 01:39:46 |
| raitobezarius | Is gitlab pinning openssl wrongly | 01:46:15 |
| raitobezarius | rubyRelaxDeps when | 01:46:22 |
| hexa | they pin openssl 2.2.2 😄 | 01:46:47 |
| raitobezarius | Well that sounds like actionable | 01:47:43 |
| hexa | yeah, posted to #gitlab:nixos.org | 01:47:50 |
| raitobezarius | I just hope it does not have far reaching impacts | 01:47:53 |
| raitobezarius | e.g. crippling the ssh or TLS stuff | 01:48:04 |
 vcunat | In reply to @raitobezarius:matrix.org
The fix has to be done here I guess We could configure Hydra's eval to allow insecure stuff. | 07:54:13 |
| vcunat | Maybe that will be a good policy for most cases where the flag is set? Probably better err on the side of building a few things that aren't really useful? | 07:55:38 |
| vcunat | So like around here? https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/release.nix#L19
(which can be overridden trivially in each jobset's config) | 07:57:43 |
| raitobezarius | In reply to @vcunat:matrix.org
We could configure Hydra's eval to allow insecure stuff. Would you do it for all insecure stufF? | 13:40:59 |
| raitobezarius | In reply to @vcunat:matrix.org
We could configure Hydra's eval to allow insecure stuff. * Would you do it for all insecure stuff? | 13:41:00 |
| raitobezarius | Like, I err also on the side of building the things that are really useful | 13:41:17 |
| raitobezarius | Like only Node.js 16, and OpenSSL 1.1 in our case | 13:41:24 |
| raitobezarius | But I don't have any data and real opinion on building everything that's insecure by default | 13:41:37 |
| raitobezarius | Beyond the fact that my gut feeling is that I do not want to encourage free cache for insecure software | 13:41:47 |
| raitobezarius | At the same time, @delroth (which is not in this channel) argued that making security updates a PITA will make users less wanting to upgrade | 13:42:04 |
| raitobezarius | While this argument seems indeed sound, I do not know what to do about users who give up on doing security updates because their insecure software requires recompilation | 13:42:27 |
| raitobezarius | For Node.js 16 & OpenSSL 1.1, this makes sense this would be too much | 13:42:38 |
| raitobezarius | Is there anything else to that list? | 13:42:47 |
| vcunat | Yes, I meant all. I thought of it mainly because it seemed much easier to implement. I assume it will always be very cheap to build. Maybe I should check what gets covered right now (transitively). | 13:48:18 |
| raitobezarius | https://github.com/NixOS/nixpkgs/pull/233024 | 13:48:37 |
