| 18 Aug 2025 |
 Grimmauld (any/all) | worked decently well in libsoup ocne we were under 100 users: https://github.com/NixOS/nixpkgs/pull/427813 | 16:23:20 |
 Marie | it does but it's a bit broken so they default to x11 | 16:23:54 |
 emily | we need to backport the mark though | 16:24:31 |
| emily | but it's probably fine | 16:24:32 |
| emily | that libsoup thing should also be backported but the fallout seems bad | 16:24:40 |
 K900 | No it's not? | 16:25:20 |
| Grimmauld (any/all) | we had most of the libsoup migrations merged before 25.05 for a reason | 16:25:19 |
| emily | actually isn't fcitx5-chinese-addons sort of important | 16:25:23 |
| K900 | It's pretty active | 16:25:26 |
| emily | I know fcitx is very popular with Chinese users | 16:25:29 |
| emily | but not sure if that package specifically is | 16:25:35 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/398783#issuecomment-2824682603
We need this no matter what since it is security relevant and will block further security updates in the future.
Sandro actually had a good point here. And as such on 25.05 the libsoup2 usage is below 100 too
| 16:26:27 |
| emily | https://github.com/jellyfin/jellyfin-media-player/pull/599 😔 | 16:26:41 |
| emily | well I just mean I see people complaining regularly about all their stuff being broken because of it | 16:27:00 |
| Grimmauld (any/all) | but thats offtopic here, would continue that in #security-discuss:nixos.org , lets get back to qtwebengine | 16:27:08 |
| emily | backporting that kind of stuff hurts | 16:27:06 |
| emily | I'm satisfied by the list here though, I think we can move forward with it | 16:27:20 |
| emily | I don't think we need to block Plasma removal on it | 16:27:34 |
| emily | er, vice versa | 16:27:42 |
| emily | because it's just … choosing what error people get | 16:27:44 |
| Grimmauld (any/all) | fair enough | 16:27:54 |
| emily | or at least we can get a PR up marking it as vulnerable and land them together | 16:27:57 |
| emily | https://github.com/jellyfin/jellyfin-media-player/pull/844 does not look like anyone is putting real work into it | 16:28:33 |
| Grimmauld (any/all) | should we dig out like 20 CVEs that affect the old qtwebengine or do we not bother and just slap it with some text? | 16:29:03 |
| K900 | Probably fine to just say "uses outdated chromium version, figure it out" | 16:30:54 |
| emily | "EOL since April 2025, vulnerable to all Chromium CVEs since then" | 16:32:03 |
| emily | (well, technically there can be CVEs that don't apply to their ancient Chromium) | 16:32:21 |
| emily | (…there can also be CVEs that apply only to their ancient Chromium) | 16:32:33 |
| emily | it's Chromium 87, from 2020 | 16:33:20 |
| emily | with half a decade of backported security patches | 16:33:25 |
