| 2 Nov 2024 |
 emily | there's an asymmetry in Nixpkgs where our package inclusion standards are very low – we let in so many packages that we can't afford to make it rough to drop dormant ones | 02:05:52 |
| emily | (not in contradiction with our review process being very bikesheddy: people will bikeshed all day about your Nix expression but rarely will they ask if it's worth packaging something at all) | 02:06:13 |
 Tomodachi94 (they/them) | I'm going to make the drop PR and see if the maintainer cares at all | 02:06:30 |
| Tomodachi94 (they/them) | If the maintainer doesn't respond in a few days, <Merge pull request> :) | 02:06:54 |
| emily | sure, maybe just roll it into the oraclejdk drop? | 02:07:03 |
| emily | and if you could update the manual section to not reference it in that one too that'd be great | 02:07:16 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
sure, maybe just roll it into the oraclejdk drop? Maybe. I'm going to hunt for CVEs for it as well, so there's slightly stronger justification | 02:07:43 |
| emily | probably not many people filing CVEs for a proprietary Java Card devkit I imagine | 02:08:04 |
| Tomodachi94 (they/them) | * Maybe. I'm going to hunt for CVEs for javacard-devkit as well, so there's slightly stronger justification | 02:08:05 |
| emily | IMO the justification is: it depends on a package being removed for being an unmaintained security disaster, is many years of out of date compared to what we could be packaging (there are modern Linux versions: https://www.oracle.com/java/technologies/javacard-downloads.html#sdk-sim), and it has been untouched since 2018 so there is no reason to expect that the former two will be resolved (and it's not your job to do so) | 02:09:54 |
| Tomodachi94 (they/them) | Yeah fair. I'm finding 3 CVEs for the hardware itself, but nothing for the devkit | 02:09:55 |
| Tomodachi94 (they/them) | (meant to be in reply to your message before justification) | 02:10:56 |
| Tomodachi94 (they/them) | shakes fist at Atlassian Confluence & Crowd & Jira, and Docear packages for having an obscured dependency on oraclejre | 02:19:21 |
| emily | oh boy | 02:21:40 |
| emily | Atlassian only supports the Oracle JRE (JRASERVER-46152).
| 02:21:49 |
| emily | 🤡 | 02:21:51 |
| Tomodachi94 (they/them) | So much for dropping OracleJDK/JRE 🤡 | 02:22:20 |
| emily | are you sure? | 02:22:27 |
| emily | you assume that these packages are, themselves, maintained | 02:22:40 |
| emily | damn apparently at least one of them is | 02:22:59 |
| emily | anyway, Atlassian definitely won't support running on an Oracle JDK from 2021 | 02:23:14 |
| Tomodachi94 (they/them) | The Atlassian stuff is in the NixOS modules (I suspect it should actually be something configured in the package, but I digress) | 02:23:52 |
| emily | https://jira.atlassian.com/browse/JRASERVER-46152 | 02:24:01 |
| emily | this doesn't actually back up the assertion | 02:24:04 |
| emily | imo, set it to the corresponding OpenJDK packages in the PR, ping @techknowlogick since they seem to maintain them | 02:25:20 |
| emily | people deploying atlassian software on NixOS should certainly know that they're running an unsupported JDK, and AFAICT the issue linked is just about, like… a regex issue? | 02:26:02 |
| emily | [emily@build01:~]$ nix run nixpkgs#jdk8 -- -version
openjdk version "1.8.0_422"
| 02:26:22 |
| emily | and AFAICT our JDKs should pass the regex just fine | 02:26:28 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
people deploying atlassian software on NixOS should certainly know that they're running an unsupported JDK, and AFAICT the issue linked is just about, like… a regex issue? Well they'll know now that knownVulns is set /j | 02:26:32 |
| emily | this is what sucks about Nixpkgs. if you stare at anything for too long you discover fractal cobwebs covering everything | 02:27:27 |
