pie__ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie__ has quit [Ping timeout: 268 seconds]
mmercier has joined #nixos-security
__Sander__ has joined #nixos-security
johnnyfive has quit [Quit: I go now.]
mmercier has quit [Quit: mmercier]
mmercier has joined #nixos-security
pie__ has joined #nixos-security
erictapen has joined #nixos-security
<gchristensen> ckauhaus: ping?
<ckauhaus> hi
<gchristensen> ckauhaus: I have someone who can spend today day patching vulns -- is there a easy way for them to get started? should I have them, say, go back to the oldest and triage remainin bugs?
<ckauhaus> would be a feasible approach
<ckauhaus> Most of the issues with the 'security' label should be actionable
<ckauhaus> I've deleted some that looked obsolete yesterday
<ckauhaus> some are of course easier than others, e.g. updating pkgs vs. solving hairy details
<ckauhaus> so it depends on the skills of that nice person
<gchristensen> not sure :)
<ckauhaus> I suppose that most of the easy stuff has already been done
<ckauhaus> so the new security process is working out to an extent ;-)
<gchristensen> nice
<ckauhaus> big kudos to periklis btw
<ckauhaus> so I'd suggest the same I'm suggesting to everyone: go through the list of 'security' GH issues and pick something that looks doable
<gchristensen> perfect
<ckauhaus> and reach out to other devs via IRC or so
ckauhaus is now known as ckauhaus[afk]
ckauhaus[afk] is now known as ckauhaus
lewo has joined #nixos-security
guaraqe has joined #nixos-security
zimbatm has joined #nixos-security
<zimbatm> hey guaraqe
<gchristensen> yay!
<guaraqe> hi!
<andi-> o/
<gchristensen> guaraqe works with zimbatm and I :) we're seeing how it goes having him do some patch work
<guaraqe> In cases like this one, where there is a newer version that has been committed, what should I do? Do the 18.09 backport? https://github.com/NixOS/nixpkgs/issues/49786
<{^_^}> #49786 (by ckauhaus, 3 weeks ago, open): Vulnerability roundup 51: libtiff-4.0.9
<ckauhaus> libtiff has been updated on master, but I'm not sure what the status of the backport is
<ekleog> ckauhaus: iirc I merged the backport like a few hours ago :p
<gchristensen> guaraqe: typically, find the commit applying it to master, and `git cherry-pick -x the-commit` to a branch off of release-18.09, and test that the package builds.
<ekleog> though it'd need checking that all the CVEs listed there are actually solved by 4.1.0
<ekleog> erhm, 4.0.10*
<guaraqe> Even if that consists of upgrading the version? I'm not sure what are the constraints for fixed-version NixOS updates
<ckauhaus> if upstream maintainers release a security point release, it is usually ok to include that new version
<ekleog> guaraqe: basically, minor or patch-level releases should be OK (with careful changelog for minor-level releases), other than that it may become interesting to port the patch if possible (and if not… well, it's a hard problem)
<ckauhaus> otherwise, a patch might be better
<ckauhaus> ekleog: :)
<guaraqe> ok, so that's why 4.0.10 is ok for both
<globin> guaraqe: exactly
<guaraqe> Ok, I tried to do a backport here: https://github.com/NixOS/nixpkgs/pull/51181
<{^_^}> #51181 (by guaraqe, 33 seconds ago, open): ncurses: upgrade from 6.1 -> 6.1-20181027
<guaraqe> can someone check if it is appropriate?
<gchristensen> guaraqe: looks like you used cherry-pick without -x I think?
<guaraqe> Yeah, I just checked, yes
<andi-> -x give the very nice information of what commit you picked it from
<guaraqe> Oh, ok, I am redoing it
<guaraqe> It should be ok now
<andi-> guaraqe: any specific reason we had to move away from the mirrors?
<andi-> oh, nvm you just picked it... looks a bit strange to me
<gchristensen> I agree
<gchristensen> though I think I'd have preferred the ~dozen patches approach
<gchristensen> oh well
<andi-> yeah.. makes it harder to verify now :/
__Sander__ has quit [Quit: Konversation terminated!]
guaraqe has quit [Remote host closed the connection]
mmercier has quit [Remote host closed the connection]
c0bw3b_ has joined #nixos-security
<c0bw3b_> (reading past exchanges today regarding ncurses)
<c0bw3b_> yes it was not an easy decision, applying upstream patches on top of earch other is basically equivalent to fetching the last "devel" release so..
<gchristensen> understood
<c0bw3b_> but next time I'll try to notify someone from the sec team to have more feedback
<gchristensen> there are many hard choices to make
<gchristensen> I don't think you made a bad one
<c0bw3b_> :)
<gchristensen> thank you for doing what you did
erictapen has quit [Quit: leaving]
__Sander__ has joined #nixos-security
__Sander__ has quit [Ping timeout: 250 seconds]
__Sander__ has joined #nixos-security
__Sander__ has quit [Ping timeout: 246 seconds]
c0bw3b_ has quit [Remote host closed the connection]
pie__ has quit [Remote host closed the connection]
pie___ has joined #nixos-security