| 19 Mar 2026 |
|  pegion changed their profile picture. | 15:57:52 |
|  @squat:beeper.com joined the room. | 19:44:28 |
| @squat:beeper.com left the room. | 19:52:02 |
|  fexa joined the room. | 20:27:50 |
 Robert Hensing (roberth) | The review idea is a bit unorthodox if Google were to judge it by its title. I'd recommend to give it a twist, pick a particular set of packages, or a particular approach, perhaps automation. | 22:34:50 |
| Robert Hensing (roberth) | We don't have a designated mentor for this, but someone can still jump in. Knowing a mentor is not a requirement for submitting a proposal to GSoC | 22:36:28 |
 Omoruyi Emmanuel | Omoruyi Osakue: Could you tell me who the mentor is Review Nixpkgs PRs or am I too late? | 22:42:22 |
| Robert Hensing (roberth) | We don't have a designated mentor for this yet, but otoh this is our main activity so I don't think that should deter you | 23:04:29 |
| 20 Mar 2026 |
|  Clumsily6239 joined the room. | 05:22:18 |
| Clumsily6239 | Hi all,
I'm looking into the GSoC project for 'SBOM Accuracy and PURL Integration for Nixpkgs'. I noticed the mentor field is currently open on the ideas list, does anyone know who is the current mentor? I was reviewing the prior efforts and wanted to ask a few questions. | 09:44:38 |
| Clumsily6239 | * Hi all,
I'm looking into the GSoC project for 'SBOM Accuracy and PURL Integration for Nixpkgs'. I noticed the mentor field is currently open on the ideas list, does anyone know who is the mentor? I was reviewing the prior efforts and wanted to ask a few questions. | 09:44:47 |
 fricklerhandwerk | This is the right place to ask those questions, the SBOM team will be delighted to help you out: https://matrix.to/#/#nixpkgs-sbom:matrix.org | 10:00:12 |
| Clumsily6239 | Oh, ty. | 10:03:26 |
| Clumsily6239 | Can we also propose our own ideas? Is that allowed? | 10:30:27 |
 not-jack | Yea | 10:59:07 |
| Clumsily6239 | I was looking at the list of ideas for GSoC, and came across the "Enhanced Patch Information Extraction" project.
I read through the referenced issue, and there doesn’t seem to be a clearly enforced format for how patches are named or described, apart from some CVE-related patches including identifiers.
I wanted to better understand what the intended goal of this project is, whether the focus is on standardizing how patches are described, extracting structured metadata from existing patches for downstream tools, or a combination of both. | 11:45:12 |
| Robert Hensing (roberth) | A combination of both. Note that the ideas are just suggestions. Ultimately it's the submissions to GSoC that get reviewed | 12:05:36 |
| Robert Hensing (roberth) | * A combination of both. Note that the ideas are just suggestions. Ultimately it's your submissions to GSoC that get reviewed | 12:05:45 |
| Clumsily6239 | Got it, thanks! | 12:19:29 |
 Tristan Ross | I believe I should be under that | 15:18:54 |
| Tristan Ross | Yeah, I think that is one that I proposed when I was asked about GSoC ideas a while back. Some of it is there's patches which fixes CVE's but they do not contain a CVE name in it. So it would require identifying that. I've also thought about adding vulnerability or patch metadata to nixpkgs. This is very useful to be able to say where a patch comes from if it's a vendored file. There's also various other things that become useful which could be attached. | 15:22:17 |
 Swaraj | Robert Hensing (roberth): Hi Robert! Just wanted to let you know that raf has agreed to be a mentor for the "Improved release notes for Nixpkgs" GSoC project! | 15:43:00 |
|  Ian joined the room. | 16:21:52 |
|  曜日 set a profile picture. | 17:37:28 |
|  LaLoutre joined the room. | 19:56:04 |
| 21 Mar 2026 |
| Clumsily6239 | Yeah, that makes sense, especially around tracking patches that fix CVEs which aren’t explicitly referenced.
I’ve been looking into extracting metadata from existing packages in nixpkgs (from URLs, comments, etc.). While that works to an extent, it clearly hits limits when the information isn’t present. Using nix eval to resolve patch lists also helps in some cases.
Right now I'm trying to output a JSON file that downstream tools can use. Long term, however, standardizing patch metadata into nixpkgs itself would be ideal.
| 04:32:57 |
| Tristan Ross | Yeah, I've written an SBOM generation tool at work and it works very well. It generates the CycloneDX vulnerabilities list and that seems to work well with grype. | 04:34:27 |
|  AnnoyingRains joined the room. | 05:11:48 |
| AnnoyingRains | Hey all, I'm interested in finding a mentor for reviewing nixpkgs PRs! As a note, I'm located in Australia, so finding someone near my timezone would be great! | 05:19:52 |
| AnnoyingRains | oh I think I am misunderstanding how this process works haha - first time doing gsoc | 05:22:54 |
