| 15 Feb 2026 |
 emily | (but admittedly introduces another TOFU step) | 15:58:37 |
 Randy Eckenrode | I have a fix: https://github.com/NixOS/nixpkgs/pull/490757. | 17:16:24 |
| Randy Eckenrode | Do I need to target staging-next? | 17:16:59 |
 vcunat | Yes, please. | 17:17:41 |
| vcunat | The issue plagues staging-next already. | 17:17:51 |
| Randy Eckenrode | I retargeted staging-next. | 17:20:12 |
| Randy Eckenrode | The only issue is Linux. I didn’t do the patches conditionally. Are we okay on Linux rebuilds currently, or do I need to make these conditional? | 17:20:42 |
| emily | should probably conditionalize and revert on staging | 17:28:34 |
| emily | (maybe I should put up my radical proposal to eliminate master-staging merge conflicts and get rid of the "guarded change + revert on staging" medium...) | 17:35:32 |
| emily | * | 17:35:38 |
| vcunat | How would you get rid of that? | 17:40:50 |
| vcunat | (without increasing rebuild amount in situations like we have with git now) | 17:41:07 |
|  matthewcroughan changed their display name from matthewcroughan @fosdem to matthewcroughan. | 17:55:53 |
| emily | well, I have ideas that are varying degrees of radical 😅 there are lots of ways we could get rid of the manual merge conflict resolution dance but the one that would streamline the -next rebuild avoidance dance looks like:
we only have one true branch (per release), master, and we conditionalize big rebuilds with feature flags conditionals like version = if ... stage... then "3.0" else "2.1";. preparing a new -next is just increasing the "epoch" past all currently staged changes. (could also make it a bit easier for us to say "uh, big security fix, let's roll a cycle without this risky stuff")
to do clean-up and reduce the tedium of authoring changes, we have a script that automatically adds these conditionals in a separate commit on top of your "staging-based" commit. merge queue checks you didn't break eval on any epoch and that the staging commits don't cause rebuilds at the relevant epoch. then -next/staging branches just undo those staging commits so you have base for changes and we merge them in for clean-up once a cycle completes. you only have to do manual "conflict resolution" when there's a genuine divergence between the branches and the script can't automatically do it, and it happens in the relevant PRs.
so here you'd add the patch, the script would add the conditionals, and staging vs. -next would just be a question of what epoch you assign it to. you can always see from master when there's changes in-flight, and clean-up happens automatically
| 18:02:03 |
| emily | this is also a lot more auditable than our current manual merges because we can treat the staging commits like the cherry-pick CI and flag them up when they're doing something non-automatic | 18:04:34 |
| vcunat |
should probably conditionalize and revert on staging
Conditionalized.
| 18:07:43 |
| vcunat | *
[git PR] should probably conditionalize and revert on staging
Conditionalized.
| 18:07:56 |
| vcunat | [radical] I see (on a very high level at least). At a glance I'm a bit worried that some changes would be more difficult to write. And adding conditionals can cause unpleasant diffs because of force-formatting. | 18:12:53 |
| vcunat | Nice for simple version bumps probably, though. | 18:13:48 |
 Grimmauld (any/all) | compression libs do get quite some CVEs for random shit. We call our package sources "trusted", because they are pinned by a hash - a luxury we can not afford before calculating the hash. If hashing itself is an unsafe operation, then things are wrong. And thus i have my doubts about pinned zlib... | 18:15:40 |
 K900 | I mean | 18:16:19 |
| K900 | This is what Yarn upstream does | 18:16:22 |
| K900 | The only other option is regenerate all lockfiles | 18:16:28 |
| K900 | But sigh | 18:16:32 |
| vcunat | At that point we just mark these fetches as insecure? 😅 | 18:17:37 |
| vcunat | * At that point we just mark these fetches as vulnerable? 😅 | 18:17:45 |
| Grimmauld (any/all) | can we just delete JS? /hj | 18:18:12 |
| vcunat | (the "vulnerable" mechanism isn't able to differentiate substituted builds, unfortunately) | 18:18:30 |
| emily | they'd be the same to write | 18:19:22 |
| emily | staging and staging-next would always have the tree after cleanups for the relevant epoch | 18:19:52 |
