gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
ris has quit [Ping timeout: 246 seconds]
justan0theruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 264 seconds]
kalbasit has joined #nixos-security
justan0theruser has quit [Ping timeout: 268 seconds]
tldr32 has quit [Read error: Connection reset by peer]
tldr32 has joined #nixos-security
tldr32 has quit [Read error: Connection reset by peer]
tldr32 has joined #nixos-security
ckauhaus has joined #nixos-security
tldr32 has quit [Read error: Connection reset by peer]
tldr32 has joined #nixos-security
tilpner has quit [Quit: tilpner]
tilpner has joined #nixos-security
justanotheruser has joined #nixos-security
justan0theruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 240 seconds]
tilpner has quit [Quit: tilpner]
tilpner has joined #nixos-security
ckauhaus has quit [Quit: WeeChat 2.7.1]
<ajs124> what's it with people running patched version of openssh?
<hexa-> -v
rajivr has quit [Quit: Connection closed for inactivity]
<gchristensen> ehL
<gchristensen> ?
<hexa-> ajs124: increase verbosity please
<ajs124> #99959 there's an ssh bump that hasn't been merged for over 3 weeks, because 1. we didn't have the GSSAPI patches (which seem legit) and 2. someone at some point dropped support for having multiple different versions of ssh to accomodate hpn-ssh not providing timely updates.
<{^_^}> https://github.com/NixOS/nixpkgs/pull/99959 (by dasJ, 3 weeks ago, open): openssh: 8.3p1 -> 8.4p1
<gchristensen> that is pretty annoying
<qyliss> wasn't there a conversation about dropping the GSSAPI ones at some point?
<qyliss> ah, yes there was
<ajs124> I did a quick search earlier and it seems like this discussion repeats on every bump
<qyliss> yeah
<qyliss> looks like at least one person wants it
<qyliss> giving hpn users an old version sounds fair enough to me though?
<qyliss> with knownVulnerabilities if appropriate
<qyliss> it's unfortunate that it has to block updates for the rest of us though
<gchristensen> maybe they should have duplicated expressions to some degree
<qyliss> wait
<qyliss> ajs124: isn't this the appropriate hpn release? https://github.com/rapier1/openssh-portable/releases/tag/hpn-KitchenSink-8_4_P1
<qyliss> dated 13 days ago (although wasn't necessarily pushed then)
<qyliss> but yeah this feels like the ungoogled-chromium thing where we don't block updates of an upstream on a fork updating
<ajs124> qyliss: it just might be, let me see if it builds
<ajs124> updated the pr, but I still don't like this
<qyliss> yeah, I think we should do a generic.nix/default.nix/hpn.nix/gssapi.nix
<qyliss> it makes sense to have a common builder function, because they're not going to be that different, but it should be possible to update them seperately
<qyliss> I wouldn't mind putting together a PR for that if it sounds like the way to go
<ajs124> sounds like a plan. does the openssh package have anyone that actually maintains it or at least feels responsible for it?
<qyliss> maintainers = with maintainers; [ eelco aneeshusa ];
justan0theruser has quit [Ping timeout: 264 seconds]
ris has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
justanotheruser has joined #nixos-security
vesper11 has quit [Ping timeout: 240 seconds]
vesper11 has joined #nixos-security
vesper has joined #nixos-security
vesper11 has quit [Ping timeout: 240 seconds]
<qyliss> ajs124: hmm, do you think anybody is using gssapi + hpn?
<qyliss> that's theoretically possible currently but wouldn't be with the change I thought of
justanotheruser has quit [Ping timeout: 240 seconds]
<ajs124> qyliss: good question. idk tbh.
justanotheruser has joined #nixos-security
rajivr has joined #nixos-security