| 29 Jun 2026 |
Alyssa Ross | We could, as a distribution, update a vulnerable library once, for all packages in Nixpkgs, regardless of maintenance | 17:08:55 |
Alyssa Ross | * | 17:09:01 |
Alyssa Ross | Instead, every hobby single person upstream project has to react to security patch releases in all of their recursive dependencies. This sucks. | 17:09:23 |
Alyssa Ross | It's not impossible to solve this problem with lockfiles, but they do discourage it | 17:15:06 |
Lach | Its just that I have many things that I wish to upstream to nixpkgs, but the situation is awful with python, its either using old libraries, or applying tons of patches on top of them
Making this a package maintainer problem doesn't seem to be a better solution | 17:15:18 |
Lach | As for lockfiles, CVE fixes are usually patch releases, I actually have a solution for that which involves patching lockfiles for patch package versions... I wonder if it can be applied to nixpkgs | 17:16:45 |
Alyssa Ross | that is a possible solution | 17:17:15 |
K900 | hexa we have to eat a python-redis rebuild | 17:36:28 |
K900 | 8.0.0 literally can't connect to a Unix socket | 17:36:28 |
hexa | 🤷 | 17:37:02 |
hexa | how large can the rebuild be | 17:37:19 |