| 16 Jan 2026 |
 emily | so a security bug in any code that allows user input to trigger it both before and after remediation | 22:33:56 |
| emily | or well, maybe the alignment part makes it subtler here | 22:34:40 |
| emily | giving untrusted input control over alignment is pretty wild already though. unless I'm missing something this feels like nothing | 22:35:14 |
 fabianhjr | There are two, that is the first one and the second one is stack leak to a dns resolver | 22:37:35 |
| emily | ah ok I missed that one | 22:37:49 |
| emily | that one is also nothing :) | 22:38:28 |
| fabianhjr | Though I would say I don't think those are critical enough to require and inmediate rebuild | 22:38:31 |
 ma27 | fwiw no objections from my side on targeting staging instead of -next. Can retarget the PR tomorrow, I'll go to sleep now. | 22:39:24 |
 K900 | The second one is nothing | 22:39:41 |
| K900 | The first one I may have misread | 22:39:47 |
| K900 | It's almost 2AM | 22:39:51 |
| emily | yeah heap overflow in a case that is maybe compiler UB regardless and I'm any case involves giving attackers crazy levels of control of memory allocation, plus uncommon calls leaking small amounts of stack to DNS server = I sleep | 22:40:41 |
| emily | I'd expect -next contains juicier fixes already | 22:41:40 |
| 17 Jan 2026 |
 Sergei Zimmerman (xokdvium) | There's a slight include messup with cppnix 2.33 and glibc 2.42. I should send that to staging-next now? https://github.com/NixOS/nix/pull/15011 | 18:45:42 |
| Sergei Zimmerman (xokdvium) | Or just master and the regular merge will do the thing? | 18:46:54 |
| K900 | master is fine | 18:48:17 |
| emily | staging-nixos, no? | 18:53:29 |
| emily | given the test rebuilds? | 18:53:37 |
| emily | or is it not default yet? | 18:53:43 |
| Sergei Zimmerman (xokdvium) | Not the default | 18:54:59 |
| Sergei Zimmerman (xokdvium) | Going to also grab aarch64-darwin patches to fix darwin | 19:00:11 |
| Sergei Zimmerman (xokdvium) | * Going to also grab aarch64-darwin patches to fix darwin sandbox shenanigans | 19:00:25 |
| 18 Jan 2026 |
 Randy Eckenrode | python3Packages.setproctitle is failing to build on 25.11. It happened to build on unstable, but that may have been a happy accident, so I’m going to fix the failure on staging first. When I do the backport, should it still target staging-25.11, or can it be retargeted to release-25.11 since it’s not technically causing rebuilds (but it will cause a bunch of builds)? | 19:53:52 |
 leona | Redacted or Malformed Event | 19:54:15 |
| leona | Redacted or Malformed Event | 19:54:22 |
 hexa | depends on the number of rebuilds | 20:12:45 |
| Randy Eckenrode | It was tagged 2501–5000, which is why I’m targeting staging for unstable. Since it’s broken on 25.11, would that still go through staging-25.11 due to the number of builds? | 20:14:10 |
 Vladimír Čunát | Can you make it rebuild on darwin only? (for now) | 20:23:43 |
| Vladimír Čunát | It's broken exactly on staging-next and release-25.11 currently. | 20:24:29 |
| Vladimír Čunát | If it's a darwin-only rebuild for setproctitle, I'd target these two. | 20:24:58 |
