!UNVBThoJtlIiVwiDjU:nixos.org

Staging

404 Members
Staging merges | Running staging cycles: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+head%3Astaging-next+head%3Astaging-next-25.11 | Review Reports: https://malob.github.io/nix-review-tools-reports/132 Servers

Load older messages


SenderMessageTime
1 Jul 2026
@emilazy:matrix.orgemilywhich scares me00:09:42
@whispers:catgirl.cloudwhispers [& it/fae]just yoinking the three patches from debian seems very low-risk and sane. diffs are small00:11:10
@hexa:lossy.networkhexayeah, could mean nothing is ready for the (breaking?) changes in there00:11:18
@hexa:lossy.networkhexaI'm not super sure about the full scope; do the three patches cover everything relevant?00:11:49
@hexa:lossy.networkhexaRedacted or Malformed Event00:11:58
@whispers:catgirl.cloudwhispers [& it/fae]they cover the three CVEs I'm aware of and that the rust folks patched. i haven't tracked closely enough to know if there are others, though.00:13:25
@whispers:catgirl.cloudwhispers [& it/fae] * 00:14:09
@whispers:catgirl.cloudwhispers [& it/fae]same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/101000:14:52
@hexa:lossy.networkhexacan you quickly check the pr?00:17:41
@hexa:lossy.networkhexa^00:17:48
@hexa:lossy.networkhexaRedacted or Malformed Event00:17:54
@emilazy:matrix.orgemilyhttps://github.com/rust-lang/cargo/pull/17140 has the rust backports00:18:50
@emilazy:matrix.orgemilyfor comparison00:19:04
@emilazy:matrix.orgemily2026-55200 looks correct00:19:40
@emilazy:matrix.orgemilyas does 2026-5519900:19:53
@emilazy:matrix.orgemily2025-15661 makes my eyes glaze over so I'll let someone else assess that one00:20:02
@whispers:catgirl.cloudwhispers [& it/fae] this pr fails to build as-is, patches for 55200 don't apply 00:33:31
@hexa:lossy.networkhexadoes debian apply them to a different version?00:34:01
@emilazy:matrix.orgemilywe could perhaps just pick the ones from Rust00:36:58
@emilazy:matrix.orgemilyDebian seems to be on an older version and has a CVE fix from 2023 too and other patches00:37:25
@emilazy:matrix.orgemilyperhaps less likely to apply to our version00:37:30
@whispers:catgirl.cloudwhispers [& it/fae]nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. but yeah it seems like they're still on 1.11.100:38:17
@whispers:catgirl.cloudwhispers [& it/fae]* nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. it seems like they're also on 1.11.100:38:37
@whispers:catgirl.cloudwhispers [& it/fae]just raw pulling the (3 CVE + libssh-unconst-backport.patch) debian patches as-is and applying them builds fine for me (ignoring that pr entirely)00:42:25
@whispers:catgirl.cloudwhispers [& it/fae]some function names are different between the debian patch and the one in #533237, which looks like the cause of patch application failure00:43:08
@hexa:lossy.networkhexagreat00:47:41
@hexa:lossy.networkhexasubmit it :)00:47:45
@whispers:catgirl.cloudwhispers [& it/fae]https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the unmodified debian patches00:47:43
@whispers:catgirl.cloudwhispers [& it/fae]* https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the patches vendored from debian00:47:53
@emilazy:matrix.orgemilylooks like https://github.com/rust-lang/cargo/pull/17140/changes/353ce102e892a12a2fa04219ed4a6379c7e5031a avoids the macro backports00:48:27

Show newer messages


Back to Room ListRoom Version: 6