| 29 May 2021 |
|  justinrestivo changed their profile picture. | 12:22:00 |
| justinrestivo changed their display name from oh caml >>= to justinrestivo. | 12:22:28 |
| justinrestivo changed their profile picture. | 12:24:00 |
 hexa | ris_: feel free to push to that branch when you have found a solution | 13:49:39 |
 ris_ | hmmmmm though I know what the problem is, the solution is less clear... macos' framework packages are weird | 13:51:31 |
| ris_ | i'll ask #macos:nixos.org | 13:52:18 |
| ris_ | if we were in a hurry security-wise, curl have published patches for all three CVEs | 14:03:52 |
|  Mark left the room. | 19:13:34 |
|  cyplo joined the room. | 19:59:15 |
|  OneLegend joined the room. | 22:21:31 |
| 30 May 2021 |
| ris_ | if anyone wants to have a go at bumping singularity 3.6.3's umoci dependency to 0.4.7 and thus resolve https://github.com/NixOS/nixpkgs/issues/124678 please be my guest, i give up. golang's packaging tools are :horror: | 00:14:32 |
| OneLegend left the room. | 00:55:27 |
 Sandro | In reply to @r_i_s:matrix.org
if anyone wants to have a go at bumping singularity 3.6.3's umoci dependency to 0.4.7 and thus resolve https://github.com/NixOS/nixpkgs/issues/124678 please be my guest, i give up. golang's packaging tools are :horror: You probably need to create upstream issues for them | 02:32:05 |
| Sandro | In reply to @r_i_s:matrix.org
if anyone wants to have a go at bumping singularity 3.6.3's umoci dependency to 0.4.7 and thus resolve https://github.com/NixOS/nixpkgs/issues/124678 please be my guest, i give up. golang's packaging tools are :horror: * You probably need to create upstream issues/PRs for them | 02:32:18 |
|  Kitty joined the room. | 06:09:43 |
 Arian | It seems NixOS is missing DigiCert's new Root CA. E.g. i can not curl https://signup.cloud.oracle.com | 11:47:00 |
| Arian | How is the nixos trust store kept up to date? | 11:59:36 |
 das_j | In reply to @arianvp:matrix.org
How is the nixos trust store kept up to date? nss's trust store (mozilla) ist used | 13:56:56 |
| das_j | see pkgs/data/misc/cacert | 13:57:38 |
| Arian | Interesting. I think it's something funky with oracle's setup. They aren't returning the entire certificate chain in the handshake | 13:58:06 |
 philipp | That's a really common issue, sadly. | 13:58:55 |
| hexa | das_j: and the nss version in stlabe doesn't change, should we rely on nss_latest for cacerts possibly? | 14:03:04 |
| hexa | * das_j: and the nss version in stable doesn't change, should we rely on nss_latest for cacerts possibly? | 14:03:12 |
 andi- | nss_latest. -> cacert -> world rebuild-ish | 14:07:08 |
| hexa | yup | 14:07:17 |
| andi- | The idea of nss_latest was to exactly avoid world rebuilds | 14:07:18 |
| hexa | fair | 14:07:24 |
| andi- | while still being able to upgrade firefox | 14:07:28 |
| andi- | One option is always to only update cacert indepdendent of NSS | 14:10:28 |
| andi- | Still a world rebuild but not as high impact as changing NSS | 14:10:41 |
