| 17 Dec 2024 |
 GGG | we'd also need to guarantee it works with paket and et. all | 22:48:22 |
 Corngood | yeah, tools and paket are the ones that come to mind. also some explicit downloads in msbuild, etc | 22:48:25 |
 6pak | and imo it's fair to not handle it in the generic msbuild tooling | 22:48:24 |
 Whovian9369 | That context sums it up well -- I don't really like the idea of using the insecure allowance but it may just be what I end up doing. Thanks for the thoughts! | 22:48:40 |
| Corngood | That's understandable. Has the upstream project considered this? Providing an LTS build that's not on a supported platform seems odd. | 22:49:38 |
| GGG | upstream seems abandoned from what I saw | 22:49:54 |
| GGG | last release 2 years ago | 22:49:55 |
| GGG | they have some commits but no releases in the interim | 22:50:36 |
| GGG | there's a commit updating to .NET 9 rc2 but idk how stable that is | 22:50:45 |
| Whovian9369 | Pre-Release was ~1yr ago | 22:51:02 |
| GGG | both releases are from 2022, which is 2 years ago | 22:51:31 |
| Whovian9369 | I misread the year, apologies. | 22:51:42 |
| Corngood | I actually think dotnet 6 is so widely use that I'm not worried about it being EOL. There are tons of things that are less likely to get security fixes that aren't marked insecure in nixpkgs. | 22:51:47 |
| GGG | you could risk building from the latest commit from the main branch | 22:51:52 |
| Corngood | * I actually think dotnet 6 is so widely used that I'm not worried about it being EOL. There are tons of things that are less likely to get security fixes that aren't marked insecure in nixpkgs. | 22:52:09 |
| Whovian9369 | Honestly I'd say that the dev is just busy, but I don't quite know what else to say or do about it as I figure the response I'd get would be "PR it then." but... 🤷 | 22:52:24 |
| GGG | it is widely used but won't be getting any security updates even if something does happen though | 22:52:26 |
| GGG | * it is widely used but won't be getting any security updates even if something does happen though, nor will anyone report it as a security issue because it's been abandoned | 22:52:43 |
| GGG | well, they have a commit updating it to .NET 9, you could try building from that: https://github.com/aaru-dps/Aaru/commit/3d8ba7df385a43fccfee5b16cb90532197b8931d | 22:53:22 |
| Corngood | I would be very surprised if Microsoft didn't patch a serious vulnerability if it was found in the next couple years. And I think at the very least we'd be likely to hear about it. | 22:53:29 |
| Whovian9369 | I do that in the same flake and normally use it in my day to day NixOS-WSL environment (though as of yesterday seems broken on my machine, need to check on that), but again 🤷 | 22:53:34 |
| Whovian9369 | {
packages = {
x86_64-linux = {
default = self.packages.x86_64-linux.prerelease;
git = nixpkgs.legacyPackages.x86_64-linux.callPackage ./git.nix {};
lts = pkgs.callPackage ./lts.nix {};
prerelease = pkgs.callPackage ./prerelease.nix {};
};
};
};
| 22:54:04 |
| GGG | they won't, they'll just tell people to upgrade, if you bought into the whole new .NET scheme you also bought into the release cadency.
if you want stability then just stick with .NET Framework | 22:54:06 |
| GGG | they did this exactly so they didn't have to maintain a billion versions of .NET | 22:54:18 |
| Corngood | Yeah, I know they aren't planning on fixing anything, but I still think they'd do it if it was bad enough. I don't object to it being marked insecure though, because I can make that call myself. | 22:56:28 |
| GGG | if you do know of something in nixpkgs that is insecure though, I'd argue for making a PR marking it insecure | 22:59:01 |
| GGG | and then see people's arguments if they argue against it | 22:59:10 |
| Corngood | Of course, but when does EOL == insecure? Like is llvm 12 going to get fixes? | 22:59:41 |
| GGG | though I guess you're talking about things that haven't been officially dropped but are kind of dropped | 22:59:48 |
| GGG | that's the standard afaik, it has been done with openssl iirc | 23:00:16 |
