<rnhmjoj>
can we do something about the vulnerability roundup issues? there are hunders of them with absolutely no reply from the maintainers. are there duplicates, false positives? why nobody bothers to solve or ever close them?
<infinisil>
rnhmjoj: Unless somebody gets paid to work on them, we can't expect anything
<rnhmjoj>
of course, i was just thinking that filling the issue tracker with them may not be the best solution
<infinisil>
Hmm maybe, if anything though, it at least brings more visibility to security problems
<rnhmjoj>
there are issues about old channels like 19.03, should they be closed?
ckauhaus has joined #nixos-dev
Gaelan has joined #nixos-dev
Gaelan_ has quit [Read error: Connection reset by peer]
georgyo has quit [Ping timeout: 244 seconds]
georgyo has joined #nixos-dev
regnat has quit [Ping timeout: 260 seconds]
regnat has joined #nixos-dev
elvishjerricco has quit [Ping timeout: 244 seconds]
<FRidh>
gchristensen: introduce a @systemdPath@ that when set overrides what's there?
<gchristensen>
and add a wrapper script? that sounds promising
<niksnut>
make the changes to a local branch of nixpkgs?
<gchristensen>
I suppose I could, I'm pretty bad at the rebase workflow and keeping up to date. maybe we should make tools to support that, so it is easier for people to do it
<LnL>
I think having some builtin way to apply patch files ontop of a channel/flake would be really nice
<gchristensen>
I agree
<LnL>
the most common usecase for that is, apply this fix until I get to the point where it was merged
<LnL>
so merge conflicts mean you can get rid of the patch in that case
<niksnut>
that tool exists, it's called git ;-)
<gchristensen>
well, it isn't very good at it: the workflow has me on a different version than anyone else making it incomparable, or having to rebase my patches continuously meaning I lose rollback / version history, or keep a careful log with tags. and, I lose command-not-found and other hydra artifacts that only come from the channel scripts.
<gchristensen>
s/hydra //
<niksnut>
that would also be true if nix had the ability to apply patches
<niksnut>
because you wouldn't have a "rev" anymore
<gchristensen>
right
<gchristensen>
but maybe there is another way
<LnL>
there's reflog, but using git (directly) is way to general IMHO
<niksnut>
btw I had to change those lines recently as well (for some container related flags / debugging)
<gchristensen>
oh really?
<LnL>
what I do in my git hook is tag the revision with the generation, which means git log --tags gives full history even if things are force pushed
<ryantm>
rnhmjoj: I think closing any vulnerability roundup issue older than 20.03 is appropriate because we aren't supporting them anymore.
FRidh has quit [Quit: Konversation terminated!]
<rnhmjoj>
@ryantm:matrix.org: this should probably be automated: the reports contain a reference to the channel so perhaps a bot could add a "unsupported" tag and close them
<julm>
bad news everyone.. apparmor-profiles needs patching: it allows /etc/ld.so.preload but NixOS uses /etc/ld-nix.so.preload, and I think that all <abstractions/base> should be replaced because it allows stuffs using the FHS, like all .so in /{usr/,}lib{,32,64}/ld{,32,64}-*.so, this makes no sense and it does not help for the list of .so in /etc/ld-nix.so.preload ; moreover the ExecStop in services.apparmor
<julm>
are missing include paths (-I) and thus fail leaving phantom AppArmor profiles active
<timokau[m]>
@ryantm:matrix.org: Good to hear its on the radar.
<cole-h>
ma27[m]: One minor complaint is: I don't like the verbosity of copying to the tmp directory (displaying `olddir/file1 -> tmpdir/file1` for every file).
<cole-h>
But maybe that's just me
alp has joined #nixos-dev
<ma27[m]>
oh you're right, should've removed that in the first place :)
<cole-h>
<3 ma27[m]
<{^_^}>
ma27[m]'s karma got increased to 19
<cole-h>
tokei works as expected (yaml serialization shows up in help output), thanks ma27[m]!
orivej_ has joined #nixos-dev
orivej has quit [Ping timeout: 272 seconds]
leungbk has joined #nixos-dev
orivej_ has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos-dev
orivej has quit [Quit: No Ping reply in 180 seconds.]