#nixos-security on 2020-05-04

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

00:47 kleisli has joined #nixos-security

02:43 hmpffff_ has joined #nixos-security

02:46 hmpffff has quit [Ping timeout: 260 seconds]

03:09 LnL has quit [Ping timeout: 260 seconds]

03:10 LnL has joined #nixos-security

07:09 FRidh has joined #nixos-security

07:25 FRidh has quit [Quit: Konversation terminated!]

07:26 FRidh has joined #nixos-security

10:21 hmpffff has joined #nixos-security

10:24 hmpffff_ has quit [Ping timeout: 240 seconds]

11:30 kgz is now known as kz

11:32 kz is now known as kgz

11:56 hmpffff_ has joined #nixos-security

11:58 hmpffff has quit [Ping timeout: 260 seconds]

15:25 anselmolsm has joined #nixos-security

15:34 justanotheruser has quit [Ping timeout: 272 seconds]

15:47 justanotheruser has joined #nixos-security

17:24 tokudan has quit [Remote host closed the connection]

17:27 tokudan has joined #nixos-security

18:41 <tokudan> broken.sh seems to have stopped updating, for unstable it's currently showing a commit date 2020-02-27 10:34:00 UTC... end of february

18:54 <hexa-> andi-:

18:55 <andi-> grml

18:56 <hexa-> Nay, nix

18:56 <andi-> It is clearly still alive and wasting many CPU cycles..

18:59 <andi-> it clearly has caught up to ab3adfe1c769c22b6629e59ea0ef88ec8ee4563f (latest 20.03 channel revision).. unclear why the interface doesn't show that

18:59 <andi-> actually it does.. tokudan https://broken.sh/channels/nixos-20.03

19:00 <andi-> but unstable is kinda stuck on februrary, interesting

19:00 <tokudan> yep, that's what i was looking at :)

19:02 <tokudan> anyway, I'll just pick a random one from 20.03, as I've had so much luck with p7zip last time :)

19:02 <andi-> happy hunting :)

19:03 <andi-> One thing about unstable that could become problematic in the long run is the time it takes to go through all the previous channel revisions..

19:04 <andi-> It takes about ~1min per revision

19:07 <andi-> apparently the git workdir is dirty at some random point in time.. I thought I would be resetting them

19:09 <andi-> tokudan: ping me if by tomorrow it hasn't caught up

19:09 <tokudan> andi-, will do, thanks for your work :)

19:19 <tokudan> i seem to have a knack for this... or a huge amount of software just isn't maintained anymore. libid3tag latest release is from 2004 and has three unfixed CVEs in that release. just denial of service though.

19:19 <andi-> Yeah

19:20 <andi-> I feel sorry for not having documented many of these cases.. I went through many of them for 2-3times (wiht months inbetween) without noticing I already did that work.. Taking notes is crucial.

19:23 <tokudan> probably a good time to start a thread on discourse regarding the status of packages and when we consider a package to be vulnerable

20:03 <tokudan> https://discourse.nixos.org/t/unmaintained-software-when-do-we-deprecate-software/7030

20:28 justanotheruser has quit [Quit: WeeChat 2.7.1]

20:29 justanotheruser has joined #nixos-security

20:39 <andi-> tokudan: thanks, I also just did two changes to broken.sh... For whatever reason I wasn't using the existing package cache that I create whenever I eval a revision for the first time.. It was always computing a bunch of stuff that never changes..

22:07 anselmolsm has quit [Remote host closed the connection]

22:12 MichaelRaskin has quit [Ping timeout: 256 seconds]

22:13 anselmolsm has joined #nixos-security

22:17 anselmolsm has quit [Ping timeout: 240 seconds]

22:17 anselmolsm_ has joined #nixos-security

22:27 MichaelRaskin has joined #nixos-security

23:18 justanotheruser has quit [Ping timeout: 260 seconds]

23:32 justanotheruser has joined #nixos-security