| 9 Jul 2025 |
 emily | that's not source, I'm afraid | 15:03:20 |
| emily | what gets published to Maven repos is… precompiled .jars | 15:03:28 |
 raitobezarius (DECT: 7248) | ergh | 15:03:37 |
| raitobezarius (DECT: 7248) | then i'm not building from source yeah | 15:03:42 |
| emily | so you have a source build, but the dependencies are binary, and the pinned vulnerable version is hidden in there | 15:03:49 |
| raitobezarius (DECT: 7248) | we are calling the gerrit source build | 15:03:55 |
| raitobezarius (DECT: 7248) | if they don't do source builds… sad | 15:04:01 |
| emily | actual recursive source builds for Java is a solvable problem but unfortunately nobody has tried solving it yet | 15:04:24 |
 puck | In reply to @emilazy:matrix.org
but https://github.com/i2p/i2p.i2p/commit/13190931b9ce7a7abdd7af57380124aaefbcc8be#diff-658f7b1aa34b58d27796fccdb8b756c72702d64ae44703374960f1cb89a5a5c3 has the fix never been in a release | 16:23:32 |
| puck | uh, the eddsa jar that i think is being depended upon | 16:23:59 |
| puck | this is a vendoring of https://github.com/str4d/ed25519-java | 16:25:08 |
 jade_ | i think they're not maintaining the lib. probably the pragmatic prod fix is the one suggested on the google issue tracker. | 17:21:37 |
| raitobezarius (DECT: 7248) | the fix is deployed | 17:21:47 |
| jade_ | which is a revert of gerrit bazel changes plus the JVM arg to allow crimes | 17:21:50 |
| raitobezarius (DECT: 7248) | it would be nice if we could get a proper fix | 17:21:52 |
| jade_ | ah | 17:21:54 |
| jade_ | i think the better fix is actually fixing mina to fully support getting rid of the legacy lib | 17:22:08 |
| raitobezarius (DECT: 7248) | i'm not clear on the security consequences of all of this | 17:22:11 |
| jade_ | probably not many or none | 17:27:25 |
| raitobezarius (DECT: 7248) | ok | 17:28:19 |
| raitobezarius (DECT: 7248) | so for me, i will remove this topic from my mental charge | 17:28:24 |
|  lambadada joined the room. | 23:49:48 |
| 10 Jul 2025 |
| jade_ | anyone interested in reviewing some improvements to the notorious dependency propagation section in the nixpkgs manual? I added the necessary explanation for the math in there. https://github.com/NixOS/nixpkgs/pull/423954 | 05:48:41 |
