| 23 Nov 2024 |
 Tomodachi94 (they/them) | Presumably rebuilds are under 20 now (being generous with the amount of indirect dependencies) | 03:44:30 |
| Tomodachi94 (they/them) | vuze... needs some TLC, if it's even maintained upstream anymore | 04:02:32 |
 emily | it is not | 04:03:48 |
| Tomodachi94 (they/them) | Oh wonderful, CVE with a 9.8 severity from 2018. Last time the package was updated was 2017 | 04:12:49 |
| Tomodachi94 (they/them) | (CVE-2018-13417 for the curious) | 04:13:44 |
| emily | 🤪 | 04:16:59 |
| emily | time for the knownVulnerabilities + removal dance | 04:17:06 |
| Tomodachi94 (they/them) | You know it! About to do the first movement, titled vuze: drop | 04:18:13 |
| emily | oh it's broken = true; | 04:31:00 |
| emily | not exactly security critical then | 04:31:19 |
| emily | Tomodachi94 (they/them): can you move the release note to 24.11 | 04:31:36 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
Tomodachi94 (they/them): can you move the release note to 24.11 Done | 04:35:32 |
| Tomodachi94 (they/them) | And I take it we only need to do the knownVulns dance for 24.05? | 04:36:37 |
| emily | indeed | 04:36:51 |
| emily | though considering it's marked broken and doesn't even run… | 04:37:04 |
| emily | would be pretty impressive to find a way to hit yourself with that particular rake | 04:37:17 |
| Tomodachi94 (they/them) | It's not marked broken on 24.05. Whether it runs on that release or we simply forgot to backport the broken = true addition, I don't feel like finding out | 04:40:09 |
| emily | yeah just mark it | 04:40:54 |
| Tomodachi94 (they/them) | https://github.com/NixOS/nixpkgs/pull/358314 | 04:42:47 |
| Tomodachi94 (they/them) | I wonder how feasible it would be to make a script that automates most of the process involved with dropping an insecure package | 04:45:01 |
| emily | ideally we'd have fewer of them 🫠| 04:45:27 |
| emily | can you take the [backport] out of the commit message (that's a PR title thing + this isn't actually a backport which might confuse someone looking for the non-backported PR) | 04:46:12 |
| Tomodachi94 (they/them) | Drop the release- prefix too? | 04:46:44 |
| emily | the commit message should be unadorned; PR title is whatever | 04:47:44 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
the commit message should be unadorned; PR title is whatever Completed | 04:48:18 |
| emily | love a package that's unmaintained, broken, and insecure | 04:48:45 |
| Tomodachi94 (they/them) | Now time to check through GitHub Search if anyone is using this package in their dotfiles | 04:48:51 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
love a package that's unmaintained, broken, and insecure And was hardcoded to JDK 8 through an override in all-packages | 04:49:21 |
| Tomodachi94 (they/them) | It's all of your favorite things!! /s | 04:49:39 |
| Tomodachi94 (they/them) | * And was hardcoded to use JDK 8 through an override in all-packages | 04:49:59 |
