| 25 Mar 2026 |
 Alyssa Ross | Presumably mainline will have the patch at some point? | 06:37:24 |
| Alyssa Ross | but maybe we should ask… | 06:41:23 |
 Fernando Rodrigues | it will; this would be about patching ahead of schedule. We do that for Xen since minor version bumps take forever to release, but I'm not sure how we do things in the kernel. | 06:56:21 |
| Alyssa Ross | stable kernels are weekly, but this patch has not even been posted to a kernel list yet | 06:58:51 |
| Alyssa Ross | ah but it was committed directly to Linus's tree, good | 07:01:17 |
| Alyssa Ross | so generally it will be in 7.0-rc6 on Sunday, and then stable kernels the following Friday. | 07:01:55 |
| Alyssa Ross | but in this case, I already see them in the stable kernel queue, so they're likely to make it into this Friday's instead | 07:04:21 |
| Fernando Rodrigues | awesome | 07:42:27 |
 hexa | https://seclists.org/oss-sec/2026/q1/383 | 14:45:37 |
| hexa | backdoor in litellm 1.82.7 | 14:45:43 |
| hexa | Redacted or Malformed Event | 14:46:19 |
| hexa | ok, master has 1.81.14 | 14:46:28 |
 kirillrdy | it only affects artifacts on pypi, nixpkgs fetches from github | 19:24:05 |
 Ben Sparks | as long as no one has the bright idea to bump nixpkgs to a revision on pypi :) | 19:34:55 |
| Ben Sparks | * as long as no one has the bright idea to bump nixpkgs to said revision on pypi :) | 19:35:07 |
| kirillrdy | its already been yanked from pypi | 19:36:55 |
| 26 Mar 2026 |
| hexa | https://seclists.org/oss-sec/2026/q1/387 libpng | 00:48:39 |
| hexa | Redacted or Malformed Event | 00:48:43 |
 vcunat | It's a huge rebuild, so there's at least one week of time (before starting another staging-next*) | 10:00:27 |
| vcunat | Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious) | 10:01:13 |
| vcunat | * Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious; see the first Impact: section) | 10:02:23 |
|  @meadow_weasel:matrix.org left the room. | 15:04:56 |
 ma27 | glibc security update: https://github.com/NixOS/nixpkgs/pull/503779 | 16:40:27 |
| ma27 | also checking if 25.11 is affected (I think so). can I target -next-25.11 oder rather staging? | 16:41:01 |
| vcunat | -linux is over 40% rebuilt in there, so unless it's critical... | 17:11:44 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's critical, I'd choose staging-25.11. | 17:12:00 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's really urgent, I'd choose staging-25.11. | 17:12:14 |
| vcunat | The description doesn't sound serious to me, at a quick read:
https://sourceware.org/bugzilla/show_bug.cgi?id=34014#c0 | 17:15:27 |
| ma27 | agreed. it's also not even on the 2.40 release branch 🤷 | 17:17:33 |
| vcunat | I honestly don't get it. A prerequisite is that your configured DNS resolver is malicious. And the impact is that answer returned by that resolver is interpreted incorrectly? I guess I'm too tired today? | 17:17:46 |
