| 16 Jan 2026 |
 emily | for an integer overflow issue in a memory allocation function? no | 22:31:59 |
| emily | anything letting untrusted parties pass huge values there is doomed already | 22:32:15 |
| emily | https://matrix.to/#/!ZRgXNaHrdpGqwUnGnj:nixos.org/$_nFYUuPwe8sGpb2iv1WyH1FKc7L_JM6CRRCF9fhPlKg?via=nixos.org&via=matrix.org&via=nixos.dev | 22:32:30 |
| emily | also, this involves allocating an object whose size can't fit in ptrdiff_t? | 22:33:28 |
| emily | that's UB in both LLVM and GCC | 22:33:34 |
| emily | so a security bug in any code that allows user input to trigger it both before and after remediation | 22:33:56 |
| emily | or well, maybe the alignment part makes it subtler here | 22:34:40 |
| emily | giving untrusted input control over alignment is pretty wild already though. unless I'm missing something this feels like nothing | 22:35:14 |
 Fabián Heredia | There are two, that is the first one and the second one is stack leak to a dns resolver | 22:37:35 |
| emily | ah ok I missed that one | 22:37:49 |
| emily | that one is also nothing :) | 22:38:28 |
| Fabián Heredia | Though I would say I don't think those are critical enough to require and inmediate rebuild | 22:38:31 |
 ma27 | fwiw no objections from my side on targeting staging instead of -next. Can retarget the PR tomorrow, I'll go to sleep now. | 22:39:24 |
 K900 | The second one is nothing | 22:39:41 |
| K900 | The first one I may have misread | 22:39:47 |
| K900 | It's almost 2AM | 22:39:51 |
| emily | yeah heap overflow in a case that is maybe compiler UB regardless and I'm any case involves giving attackers crazy levels of control of memory allocation, plus uncommon calls leaking small amounts of stack to DNS server = I sleep | 22:40:41 |
| emily | I'd expect -next contains juicier fixes already | 22:41:40 |
| 17 Jan 2026 |
 Sergei Zimmerman (xokdvium) | There's a slight include messup with cppnix 2.33 and glibc 2.42. I should send that to staging-next now? https://github.com/NixOS/nix/pull/15011 | 18:45:42 |
| Sergei Zimmerman (xokdvium) | Or just master and the regular merge will do the thing? | 18:46:54 |
| K900 | master is fine | 18:48:17 |
| emily | staging-nixos, no? | 18:53:29 |
| emily | given the test rebuilds? | 18:53:37 |
| emily | or is it not default yet? | 18:53:43 |
| Sergei Zimmerman (xokdvium) | Not the default | 18:54:59 |
| Sergei Zimmerman (xokdvium) | Going to also grab aarch64-darwin patches to fix darwin | 19:00:11 |
| Sergei Zimmerman (xokdvium) | * Going to also grab aarch64-darwin patches to fix darwin sandbox shenanigans | 19:00:25 |
| 18 Jan 2026 |
 Randy Eckenrode | python3Packages.setproctitle is failing to build on 25.11. It happened to build on unstable, but that may have been a happy accident, so I’m going to fix the failure on staging first. When I do the backport, should it still target staging-25.11, or can it be retargeted to release-25.11 since it’s not technically causing rebuilds (but it will cause a bunch of builds)? | 19:53:52 |
 leona | Redacted or Malformed Event | 19:54:15 |
| leona | Redacted or Malformed Event | 19:54:22 |
