<gchristensen>
ckauhaus: I have someone who can spend today day patching vulns -- is there a easy way for them to get started? should I have them, say, go back to the oldest and triage remainin bugs?
<ckauhaus>
would be a feasible approach
<ckauhaus>
Most of the issues with the 'security' label should be actionable
<ckauhaus>
I've deleted some that looked obsolete yesterday
<ckauhaus>
some are of course easier than others, e.g. updating pkgs vs. solving hairy details
<ckauhaus>
so it depends on the skills of that nice person
<gchristensen>
not sure :)
<ckauhaus>
I suppose that most of the easy stuff has already been done
<ckauhaus>
so the new security process is working out to an extent ;-)
<gchristensen>
nice
<ckauhaus>
big kudos to periklis btw
<ckauhaus>
so I'd suggest the same I'm suggesting to everyone: go through the list of 'security' GH issues and pick something that looks doable
<gchristensen>
perfect
<ckauhaus>
and reach out to other devs via IRC or so
ckauhaus is now known as ckauhaus[afk]
ckauhaus[afk] is now known as ckauhaus
lewo has joined #nixos-security
guaraqe has joined #nixos-security
zimbatm has joined #nixos-security
<zimbatm>
hey guaraqe
<gchristensen>
yay!
<guaraqe>
hi!
<andi->
o/
<gchristensen>
guaraqe works with zimbatm and I :) we're seeing how it goes having him do some patch work
<ckauhaus>
libtiff has been updated on master, but I'm not sure what the status of the backport is
<ekleog>
ckauhaus: iirc I merged the backport like a few hours ago :p
<gchristensen>
guaraqe: typically, find the commit applying it to master, and `git cherry-pick -x the-commit` to a branch off of release-18.09, and test that the package builds.
<ekleog>
though it'd need checking that all the CVEs listed there are actually solved by 4.1.0
<ekleog>
erhm, 4.0.10*
<guaraqe>
Even if that consists of upgrading the version? I'm not sure what are the constraints for fixed-version NixOS updates
<ckauhaus>
if upstream maintainers release a security point release, it is usually ok to include that new version
<ekleog>
guaraqe: basically, minor or patch-level releases should be OK (with careful changelog for minor-level releases), other than that it may become interesting to port the patch if possible (and if not… well, it's a hard problem)
<gchristensen>
though I think I'd have preferred the ~dozen patches approach
<gchristensen>
oh well
<andi->
yeah.. makes it harder to verify now :/
__Sander__ has quit [Quit: Konversation terminated!]
guaraqe has quit [Remote host closed the connection]
mmercier has quit [Remote host closed the connection]
c0bw3b_ has joined #nixos-security
<c0bw3b_>
(reading past exchanges today regarding ncurses)
<c0bw3b_>
yes it was not an easy decision, applying upstream patches on top of earch other is basically equivalent to fetching the last "devel" release so..
<gchristensen>
understood
<c0bw3b_>
but next time I'll try to notify someone from the sec team to have more feedback
<gchristensen>
there are many hard choices to make
<gchristensen>
I don't think you made a bad one
<c0bw3b_>
:)
<gchristensen>
thank you for doing what you did
erictapen has quit [Quit: leaving]
__Sander__ has joined #nixos-security
__Sander__ has quit [Ping timeout: 250 seconds]
__Sander__ has joined #nixos-security
__Sander__ has quit [Ping timeout: 246 seconds]
c0bw3b_ has quit [Remote host closed the connection]
pie__ has quit [Remote host closed the connection]