| 23 Nov 2024 |
 emily | sgtm | 02:58:51 |
 Tomodachi94 (they/them) | * Thus, it's also infinitely easier to review (rebuild a few select packages vs all 800 dependencies), so I'll be unblocked faster | 02:59:12 |
| Tomodachi94 (they/them) | You're good at talking people out of bad design decisions :) | 03:00:11 |
| emily | sometimes I talk people into them just to shake it up 😈 | 03:00:39 |
| Tomodachi94 (they/them) | To hardcode or not to hardcode the path to the Ant executable, that is the question | 03:04:03 |
| Tomodachi94 (they/them) | * To hardcode or not to hardcode the path to the Ant executable in the hook, that is the question | 03:04:13 |
| Tomodachi94 (they/them) | Okay, refactored everything to use a separate ant.hook package, down to 6 commits (versus the 14 before) | 03:41:45 |
| Tomodachi94 (they/them) | Presumably rebuilds are under 20 now (being generous with the amount of indirect dependencies) | 03:44:30 |
| Tomodachi94 (they/them) | vuze... needs some TLC, if it's even maintained upstream anymore | 04:02:32 |
| emily | it is not | 04:03:48 |
| Tomodachi94 (they/them) | Oh wonderful, CVE with a 9.8 severity from 2018. Last time the package was updated was 2017 | 04:12:49 |
| Tomodachi94 (they/them) | (CVE-2018-13417 for the curious) | 04:13:44 |
| emily | 🤪 | 04:16:59 |
| emily | time for the knownVulnerabilities + removal dance | 04:17:06 |
| Tomodachi94 (they/them) | You know it! About to do the first movement, titled vuze: drop | 04:18:13 |
| emily | oh it's broken = true; | 04:31:00 |
| emily | not exactly security critical then | 04:31:19 |
| emily | Tomodachi94 (they/them): can you move the release note to 24.11 | 04:31:36 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
Tomodachi94 (they/them): can you move the release note to 24.11 Done | 04:35:32 |
| Tomodachi94 (they/them) | And I take it we only need to do the knownVulns dance for 24.05? | 04:36:37 |
| emily | indeed | 04:36:51 |
| emily | though considering it's marked broken and doesn't even run… | 04:37:04 |
| emily | would be pretty impressive to find a way to hit yourself with that particular rake | 04:37:17 |
| Tomodachi94 (they/them) | It's not marked broken on 24.05. Whether it runs on that release or we simply forgot to backport the broken = true addition, I don't feel like finding out | 04:40:09 |
| emily | yeah just mark it | 04:40:54 |
| Tomodachi94 (they/them) | https://github.com/NixOS/nixpkgs/pull/358314 | 04:42:47 |
| Tomodachi94 (they/them) | I wonder how feasible it would be to make a script that automates most of the process involved with dropping an insecure package | 04:45:01 |
| emily | ideally we'd have fewer of them 🫠| 04:45:27 |
| emily | can you take the [backport] out of the commit message (that's a PR title thing + this isn't actually a backport which might confuse someone looking for the non-backported PR) | 04:46:12 |
| Tomodachi94 (they/them) | Drop the release- prefix too? | 04:46:44 |
