gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
ris has quit [Ping timeout: 252 seconds]
ekleog has quit [Read error: Connection reset by peer]
ekleog has joined #nixos-security
<pie_> nice
pie_ has quit [Ping timeout: 252 seconds]
<marek> I need a hand with https://github.com/NixOS/nixpkgs/pull/64909, the CVE fixes a possible zip bomb, but it now breaks some zip tests for other packages
<{^_^}> #64909 (by mmahut, 2 days ago, merged): unzip: CVE-2019-13232
<marek> I wonder what is the best way forward, unzip is going to have this anyway, so fixing the test is the right way in my opinion
pie_ has joined #nixos-security
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
justanotheruser has quit [Ping timeout: 244 seconds]
justanotheruser has joined #nixos-security
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
andi- has quit [Client Quit]
andi- has joined #nixos-security
tokudan has quit [Quit: ZNC 1.7.3 - https://znc.in]
tokudan has joined #nixos-security
ghuntley has joined #nixos-security
<ghuntley> hey folks, check out https://github.com/NixOS/nixpkgs/issues/65105. What if we used the GitHub security advisories functionality?
<{^_^}> #65105 (by ghuntley, 4 minutes ago, open): Use GitHub for NixOS security advisories
<andi-> The problem is getting there. E.g. having a reliable diff of things that we are delivering (and which commit fixed it, when the channel version is released, …).
<andi-> one thing we have to tackle is creating visibility for people that there is work to do
<andi-> The other is properly reviewing that getting it merged
<andi-> +and
<andi-> At the moment we somewhat fail somewhere between the first and second