| 30 Apr 2026 |
 hexa | DHE will only be used with dhparams anyway, so I hoped the warning would be sufficient | 12:59:03 |
 @enzime:nixos.dev | just investigated further, it doesn't matter if the first commit is merged now as nginx will just disable DHE if DH params are not configured https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam | 13:22:10 |
|  @hxr404:tchncs.de left the room. | 13:40:15 |
|  Vinetos joined the room. | 13:47:34 |
 Samuel Dionne-Riel | https://github.com/NixOS/nixpkgs/pull/514603 | 16:01:44 |
| 1 May 2026 |
 leona | https://gstreamer.freedesktop.org/ 1.28.2 fixes a few high score vulnerabilities.
We already have an open PR but it’s not ready and we are on an unsupported version
| 06:41:45 |
| @enzime:nixos.dev left the room. | 06:44:02 |
| 4 May 2026 |
|  AnnoyingRains changed their profile picture. | 02:36:04 |
| 2 May 2026 |
|  Tom changed their profile picture. | 18:41:12 |
| 3 May 2026 |
| AnnoyingRains changed their profile picture. | 13:02:39 |
 Mic92 | https://github.com/NixOS/nixpkgs/pull/516109 vaultwarden | 13:33:05 |
| 6 May 2026 |
 arcayr | https://github.com/NixOS/nixpkgs/pull/517132 apacheHttpd 2.4.66 -> 2.4.67 fixing cve-2026-23918 - https://httpd.apache.org/security/vulnerabilities_24.html / https://www.cve.org/CVERecord?id=CVE-2026-23918 | 04:52:22 |
 vcunat | weblate is in need of backport to 25.11, in case anyone's interested.
https://github.com/NixOS/nixpkgs/pull/510728#issuecomment-4386087895 | 08:31:12 |
|  lgian joined the room. | 09:15:35 |
 dish [Fox/It/She] | Not critical but someone seems to be trying to do weird exfil backdoor attacks on nixpkgs via CI, see https://github.com/NixOS/nixpkgs/pull/517354 | 16:24:30 |
| dish [Fox/It/She] | afaik none of this works but i could be wrong so bringing it up here for visibility | 16:24:40 |
| dish [Fox/It/She] | (it also seems to be using a very very expired webhook for exfil so i dont think this works anyways) | 16:25:55 |
 Alyssa Ross | I reported the account to GitHub. An org owner could also block them from the org. | 16:29:05 |
 Winter | ^ handling | 16:30:26 |
 tgerbet | Yeah they abuse a bunch of other repositories
I have spotted one where they got some success, I'm reaching out to them | 16:31:30 |
|  codec joined the room. | 16:33:12 |
| hexa | same | 17:42:41 |
| hexa | blocked | 17:43:32 |
|  averyv joined the room. | 19:06:21 |
| averyv | Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet so we can get the vuln fixed and refactor later? | 19:17:01 |
 kuflierl | Interesting attack. But i am quite sure that we do not build, only eval in ci and send stuff to hydra where github tokens are non-existant | 19:17:02 |
| kuflierl | * Interesting attack. But i am quite sure that we do not build, only eval in ci and send builds to hydra where github tokens are non-existant | 19:17:52 |
| averyv | * Hiya, I'm looking at handling https://github.com/NixOS/nixpkgs/issues/517209, pi-hole vuln, coming back to it after a while of neglecting it.
Another contributor has been working on updating the package. Annoyingly it now depends on mbedtls 4.0, which that contributor has packaged here https://github.com/NixOS/nixpkgs/pull/509801. But they're getting nixpkgs-vet errors blocking it.
Is it possible to disable nixpkgs-vet for the PR so we can get the vuln fixed and refactor later? | 19:18:04 |
| Winter | we do not send ANYTHING to hydra from github ci. | 19:24:44 |
| hexa | tangential https://docs.lix.systems/manual/lix/stable/installation/multi-user.html#the-lix-daemon-as-a-security-non-boundary | 19:25:55 |
