<ekleog>
An intermediate option might be a big blob of json (committed into the repository) from which a db (not committed) could be extracted… but that's likely over-engineering
<ekleog>
JSON is always more merge-able than sqlite
pie_ has quit [Read error: Connection reset by peer]
pie_ has joined #nixos-security
ckauhaus has joined #nixos-security
pie__ has joined #nixos-security
pie_ has quit [Read error: Connection reset by peer]
__Sander__ has joined #nixos-security
contrapumpkin has quit [Ping timeout: 268 seconds]
__Sander__ has quit [Ping timeout: 240 seconds]
__Sander__ has joined #nixos-security
ckauhaus has quit [Quit: WeeChat 2.0]
ckauhaus has joined #nixos-security
<andi->
I would go for a bunch of JSON blobs. Just commiting my reports. The frequency (and deduplication before adding it?) should fix the bloat issue?
copumpkin has joined #nixos-security
pie__ has quit [Read error: Connection reset by peer]
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
__Sander__ has quit [Quit: Konversation terminated!]
pie_ has quit [Read error: Connection reset by peer]
<joepie91>
andi-: reading release notes? what are we, reasonable people?
<joepie91>
:P
<joepie91>
it's frankly quite shocking how few people seem to actually read release notes, or even a changelog
<andi->
it is killing my motivation.. I mean it literally just reading before you accept something automatically bumped is not asking for much..
<joepie91>
I've had to open waaaay too many "please add a changelog" tickets on projects...
<joepie91>
because nobody noticed its absence...
<joepie91>
andi-: anyhow, what's the specific issue in this case?
<andi->
I get home every evening, run mbsync to retrieve my mails, run my clssification things and then go through a list of stuff that seem to be worth fixing.. Then figure out that it could have been fixed by literally reading the 2 line release notes..
<andi->
joepie91: RCE in mutt
<andi->
if you use it with IMAP
<andi->
and if the mailserver doesn't like you
<andi->
and a few other issue for the case of just simple mutt... I have not read the last 5 months of changelogs just a few releases.. was scary enough.
<andi->
I guess I want an email client written in haskell/rust/ocaml/.. to a least remove that one class of issues
<joepie91>
andi-: that doesn't totally remove RCEs though :)
<joepie91>
just memory-related ones
<andi->
yeah.. you get my point
<joepie91>
if I got a dollar for every time somebody shelled out to some external tool via bash without proper input sanitizing/escaping... :(
<joepie91>
yeah :P
<andi->
I am always buffled how good any other distribution is with this kind of things... I can not say if they got a headup in this case but for example arch linux did patch that 8 days ago before an official release. :/
<joepie91>
andi-: larger distros do generally get notices ahead of time
<andi->
I know. thats why I said I do not know in that case if that happened
pie__ has joined #nixos-security
pie_ has quit [Ping timeout: 260 seconds]
pie_ has joined #nixos-security
pie___ has joined #nixos-security
pie__ has quit [Ping timeout: 240 seconds]
pie_ has quit [Ping timeout: 260 seconds]
<infinisil>
I won't read release notes when I update 100 programs at once with a nixos-rebuild --upgrade :P
<andi->
the user is probably the exception here :-)
<ekleog>
andi-: 6 days ago slackware sent an email to slackware-security@slackware.com (which redirects to bugtraq@securityfocus.com) mentioning the issue
* ekleog
didn't notice it among the noise :'(
<ekleog>
(also, I usually watch out mostly for oss-security, other MLs are most of the time just saying once again what's already passed on oss-security… but this time it looks like the only mention of mutt I have in my security-related folder is this SSA)
<ekleog>
oh, and for the release notes… here the problem is actually that noone upgraded mutt, not that someone upgraded mutt without the release notes, isn't it?