| 29 Jun 2026 |
 K900 | Sorry it's not setuptools that explodes, it's virtualenv | 16:58:06 |
| K900 | But there's a weird middle version they can agree in | 16:58:13 |
 dotlambda | I'm excited about paperless slop 3.0 | 16:58:14 |
| K900 | Redacted or Malformed Event | 16:58:15 |
| K900 | They tagged a beta of that | 16:58:46 |
| K900 | I wonder if that one works | 16:58:50 |
 Lach | I'm amazed how python ecosystem is still alive with no lockfiles having breaking changes in packages such as numpy | 17:04:37 |
| dotlambda | Lockfiles are poison | 17:04:56 |
| K900 | Oh no, there's plenty of lockfiles | 17:05:33 |
| K900 | They're just impossible to actually use downstream | 17:05:43 |
| Lach | Lockfiles enable proper dependency resolution and not the requirements.txt bs | 17:06:02 |
| K900 | The Python ecosystem problem is not lockfiles | 17:06:18 |
| Lach | They are impossible to use in upstream most of the time either D: | 17:06:38 |
| dotlambda | And they invite you to never update. Take a guess how many CVEs we didn't fix because we use Rust and Node.js lockfiles | 17:07:08 |
| Lach | I don't think this is a nixpkgs problem if upstream is not updating their dependencies? | 17:07:46 |
 Alyssa Ross | When a C library has a vulnerability, we update it, and every dependent uses the fixed version | 17:08:11 |
| Alyssa Ross | This is good | 17:08:15 |
| Alyssa Ross | Cargo and whatever make that more difficult | 17:08:27 |
 whispers [& it/fae] | it's a problem for the people who use it (us) so it's a problem for the distributors (also us) | 17:08:32 |
| dotlambda | And we have open issues discussing solutions but none have been implemented | 17:08:52 |
| Alyssa Ross | We could, as a distribution, update a vulnerable library once, for all packages in Nixpkgs, regardless of maintenance | 17:08:55 |
| Alyssa Ross | * | 17:09:01 |
| Alyssa Ross | Instead, every hobby single person upstream project has to react to security patch releases in all of their recursive dependencies. This sucks. | 17:09:23 |
| Alyssa Ross | It's not impossible to solve this problem with lockfiles, but they do discourage it | 17:15:06 |
| Lach | Its just that I have many things that I wish to upstream to nixpkgs, but the situation is awful with python, its either using old libraries, or applying tons of patches on top of them
Making this a package maintainer problem doesn't seem to be a better solution | 17:15:18 |
| Lach | As for lockfiles, CVE fixes are usually patch releases, I actually have a solution for that which involves patching lockfiles for patch package versions... I wonder if it can be applied to nixpkgs | 17:16:45 |
| Alyssa Ross | that is a possible solution | 17:17:15 |
| K900 | hexa we have to eat a python-redis rebuild | 17:36:28 |
| K900 | 8.0.0 literally can't connect to a Unix socket | 17:36:28 |
 hexa | 🤷 | 17:37:02 |
