| 22 Apr 2024 |
 @linus:schreibt.jetzt | Hm, that's not really a helpful reproducer since the fix doesn't prevent the alert from happening? | 15:27:30 |
| @linus:schreibt.jetzt | (or at least as far as I understand the fix, it shouldn't) | 15:28:17 |
 das_j | In reply to @linus:schreibt.jetzt
Hm, that's not really a helpful reproducer since the fix doesn't prevent the alert from happening? That's a reasonable point :/ | 15:28:41 |
| das_j | I can just drop it, it's not like the issue or anyone's vulnerability to it is debatable | 15:29:14 |
 @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de | In reply to @janne.hess:helsinki-systems.de
@room You Hydra might have a XSS vulnerability, please check if you need to update: https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx Does that in any way affect nixos users who use the distro-provided cache? | 16:46:55 |
| @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de | In reply to @janne.hess:helsinki-systems.de
@room You Hydra might have a XSS vulnerability, please check if you need to update: https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx * Does that in any way affect nixos users who use the distro-provided cache? e.g. malicious cache? | 16:49:44 |
| das_j | In reply to @5m5z3q888q5prxkg:chat.lightnovel-dungeon.de
Does that in any way affect nixos users who use the distro-provided cache? e.g. malicious cache? It doesn't affect the cache, it's only an issue when looking at html files from the Hydra web interface | 16:51:49 |
 Rick (Mindavi) | Merged the fixes in nixpkgs, doesn't seem like it'll hurt | 17:03:29 |
| 24 Apr 2024 |
|  @stablejoy:matrix.org changed their profile picture. | 08:59:22 |
 osnyx (he/him) | I had wanted to use replaceRuntimeDependencies in a system config to hotfix the latest glibc CVE, but unfortunately Hydra fails to evaluate it due to
error: access to absolute path '/nix/store/anlf335xlh41yjhm114swi87406mq5pw-glibc-2.38-44' is forbidden in restricted mode.
I guess there's a good reason why Hydra uses restricted mode and I better don't just patch evalSettings.restrictEval = false;?
| 15:57:34 |
 cransom | there is probably a good reason, but back when i used hydra, i also patched that out for... reasons. | 16:01:28 |
