!UNVBThoJtlIiVwiDjU:nixos.org

Staging

404 Members
Staging merges | Find currently open staging-next PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+sort%3Aupdated-desc+head%3Astaging-next+head%3Astaging-next-21.05+is%3Aopen131 Servers

Load older messages


SenderMessageTime
1 Jul 2026
@whispers:catgirl.cloudwhispers [& it/fae] * 00:14:09
@whispers:catgirl.cloudwhispers [& it/fae]same three posted about on oss-sec too: https://seclists.org/oss-sec/2026/q2/101000:14:52
@hexa:lossy.networkhexacan you quickly check the pr?00:17:41
@hexa:lossy.networkhexa^00:17:48
@hexa:lossy.networkhexaRedacted or Malformed Event00:17:54
@emilazy:matrix.orgemilyhttps://github.com/rust-lang/cargo/pull/17140 has the rust backports00:18:50
@emilazy:matrix.orgemilyfor comparison00:19:04
@emilazy:matrix.orgemily2026-55200 looks correct00:19:40
@emilazy:matrix.orgemilyas does 2026-5519900:19:53
@emilazy:matrix.orgemily2025-15661 makes my eyes glaze over so I'll let someone else assess that one00:20:02
@whispers:catgirl.cloudwhispers [& it/fae] this pr fails to build as-is, patches for 55200 don't apply 00:33:31
@hexa:lossy.networkhexadoes debian apply them to a different version?00:34:01
@emilazy:matrix.orgemilywe could perhaps just pick the ones from Rust00:36:58
@emilazy:matrix.orgemilyDebian seems to be on an older version and has a CVE fix from 2023 too and other patches00:37:25
@emilazy:matrix.orgemilyperhaps less likely to apply to our version00:37:30
@whispers:catgirl.cloudwhispers [& it/fae]nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. but yeah it seems like they're still on 1.11.100:38:17
@whispers:catgirl.cloudwhispers [& it/fae]* nah, they're not pulling the 2023 fix at all i think, it's commented here: https://salsa.debian.org/debian/libssh2/-/blob/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/series#L6. it seems like they're also on 1.11.100:38:37
@whispers:catgirl.cloudwhispers [& it/fae]just raw pulling the (3 CVE + libssh-unconst-backport.patch) debian patches as-is and applying them builds fine for me (ignoring that pr entirely)00:42:25
@whispers:catgirl.cloudwhispers [& it/fae]some function names are different between the debian patch and the one in #533237, which looks like the cause of patch application failure00:43:08
@hexa:lossy.networkhexagreat00:47:41
@hexa:lossy.networkhexasubmit it :)00:47:45
@whispers:catgirl.cloudwhispers [& it/fae]https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the unmodified debian patches00:47:43
@whispers:catgirl.cloudwhispers [& it/fae]* https://github.com/whispersofthedawn/nixpkgs/commit/221328822354d21491261889713272011e89dbcf builds with the patches vendored from debian00:47:53
@emilazy:matrix.orgemilylooks like https://github.com/rust-lang/cargo/pull/17140/changes/353ce102e892a12a2fa04219ed4a6379c7e5031a avoids the macro backports00:48:27
@emilazy:matrix.orgemilybut picking the macro backport should be good too / maybe better00:48:33
@emilazy:matrix.orgemilyyou can fetchurl these directly from salsa00:49:03
@emilazy:matrix.orgemilyother than that LGTM, let's get a PR :)00:49:14
@whispers:catgirl.cloudwhispers [& it/fae]…right, i forgot you didn't need to fetchpatch (which infrecs), will dop00:49:47
@whispers:catgirl.cloudwhispers [& it/fae]* …right, i forgot you didn't need to fetchpatch (which infrecs), will do00:49:48
@emilazy:matrix.orgemily yeah if you're fetching patch files vendored inside a repo from a commit-pinned URL fetchurl is fine 00:51:17

Show newer messages


Back to Room ListRoom Version: 6