01:28
ris has quit [Ping timeout: 240 seconds]
01:50
davidtwco has quit [Read error: Connection reset by peer]
01:50
raboof has quit [Read error: Connection reset by peer]
01:50
midchildan has quit [Ping timeout: 260 seconds]
01:51
davidtwco has joined #nixos-security
01:51
raboof has joined #nixos-security
01:53
midchildan has joined #nixos-security
03:10
zarel has quit [Ping timeout: 256 seconds]
03:12
maljub01 has quit [Ping timeout: 256 seconds]
03:16
maljub01 has joined #nixos-security
03:18
zarel has joined #nixos-security
03:18
maljub01 has quit [Client Quit]
03:19
maljub01 has joined #nixos-security
03:45
andi- has quit [Remote host closed the connection]
03:49
andi- has joined #nixos-security
04:27
maljub017 has joined #nixos-security
04:29
maljub01 has quit [Ping timeout: 260 seconds]
04:29
maljub017 is now known as maljub01
08:48
justanotheruser has quit [Ping timeout: 268 seconds]
09:04
kalbasit has quit [Ping timeout: 268 seconds]
11:45
ninjin has quit [Remote host closed the connection]
11:46
ninjin has joined #nixos-security
12:28
FRidh has joined #nixos-security
14:46
justanotheruser has joined #nixos-security
15:33
justanotheruser has quit [Ping timeout: 268 seconds]
15:40
justanotheruser has joined #nixos-security
16:49
<
__red__ >
Quick question (which is security related - I promise)
16:49
<
__red__ >
When I hit the nixpkgs-stable channel and it feeds me a packages.json.br
16:50
<
__red__ >
I have found packages taht differ in version in that file from what's in github when I look at the release-20.09 branch
16:50
<
__red__ >
am I mistaken in thinking that those are equivalent?
16:50
<
gchristensen >
what channel are you looking at? (nixpkgs-stable isn't one :')
16:51
<
__red__ >
Sorry - you're right
16:55
<
__red__ >
I follow the re-direct
16:55
<
gchristensen >
that .edb261... is the commit hash
16:55
<
__red__ >
so I guess I'm trying to understand the relationship between say edb26126d98 and the branch release-20.09
16:55
<
gchristensen >
but also, the nixos-* branches on the nixpkgs repo should point to thecurrent channel revision
16:56
<
__red__ >
I guess I expected release-20.09 to be ahead (since that's what people are cherrypicking commits into)
16:56
<
__red__ >
and since I have an old version of mediawiki in release-20.09
16:56
<
__red__ >
I'm confused as to why in packages.br it shows a newer version
16:56
<
__red__ >
Okay - so it's not my understanding them
16:57
<
__red__ >
I'll manually verify it again
16:59
<
__red__ >
I just wanted to make sure I understood correctly
16:59
<
__red__ >
it may be a bug
17:03
<
hexa- >
3002.1 on nov 3rd
17:03
<
hexa- >
I'll take care of iy
17:08
<
{^_^} >
hexa-'s karma got increased to 9
17:21
<
__red__ >
Yup - it's a bug. Good, I'm glad it happened so now I have a better understanding of how this works.
17:40
rajivr has quit [Quit: Connection closed for inactivity]
17:44
tokudan has quit [Remote host closed the connection]
17:46
tokudan has joined #nixos-security
19:19
ris has joined #nixos-security
19:23
<
{^_^} >
#102175 (by grahamc, 1 hour ago, open): amazon-image: random.trust_cpu=on to cut 10s from boot
19:41
<
__red__ >
Question: Do we have a policy as to how we deal with packages with security vulns that are marked as unavailable or broken?
19:42
<
__red__ >
Do we still push for them to be updated anyways in case someone comes along later and fixes / changes that metadata flag?
19:44
<
gchristensen >
updated -> no, because there is no way to check it if it is brokxen
19:44
<
gchristensen >
a package which is broken or marked as insecure is basically on its way to being deleted
19:46
<
__red__ >
gchristensen: Do you know when you'll be heading out this evening roughly?
19:46
<
__red__ >
I want to send you something brief
19:46
<
__red__ >
if I miss you the world won't come to a screaming end - so finger in air etc...?
19:46
<
gchristensen >
about 1.5h :)
19:47
<
__red__ >
doh - okay - thanks :-)
19:47
<
__red__ >
I don't trust matrix to send messages and I want to send an image
19:47
<
__red__ >
so I can just dump it here I guess
20:45
<
__red__ >
gchristensen: - In your messages
20:45
<
__red__ >
I threw a screenshot in there
20:45
<
gchristensen >
nice! looks cool :D
20:48
<
__red__ >
Yeah - it's coming on nicely
20:48
<
__red__ >
I'm happy to talk about it publically
20:48
<
__red__ >
I'm just looking for a way that I can help with the wall of issues we have
20:49
<
__red__ >
I've been having a lot of fun
20:49
<
__red__ >
and it works by regex
20:51
<
__red__ >
Issue#: 88380 Vulnerability roundup 84: php-7.3.16: 1 advisory
20:51
<
__red__ >
CVE Block:
20:51
<
__red__ >
CVE-2020-7067: > 7.4.5
20:51
<
__red__ >
CVE-2020-7067: > 7.3.17
20:51
<
__red__ >
CVE-2020-7067: > 7.2.30
20:51
<
__red__ >
nixpkgs-unstable : php-with-extensions-7.4.11 php 7.4.11
20:51
<
__red__ >
nixos-20.09 : php-with-extensions-7.4.11 php 7.4.11
20:52
<
__red__ >
You can see at a glance that that issue is likely ready to be closed
20:52
<
__red__ >
I will confess - I'm very confused between all the differences between name, pname, key etc etc...
20:53
<
__red__ >
Other things that easily fall out
20:53
<
__red__ >
being able to get a list of all packages that differ in version between the two channels
20:53
<
__red__ >
(although there's probably tooling to do that already)
21:16
<
hexa- >
name is legacy, pname is the new-style package name
21:51
<
__red__ >
I got very confused because the key in the packages.json file is different again
21:51
<
__red__ >
I'm currently hypothesizing that it's what's in all-packages.nix
21:51
<
__red__ >
lemme find you an example
21:52
<
__red__ >
cos it's weied
21:52
<
__red__ >
and maybe you can help me iunderstand
21:58
<
__red__ >
take a look at that
21:59
<
__red__ >
same pname
21:59
<
__red__ >
different projects
22:00
<
__red__ >
so the key in the has in the packages.json in the one side is haskellPackages.mediawiki, the other just mediawiki
22:00
<
__red__ >
so that's kinda why I'm confused as to what each of the things mean
22:10
lejonet has quit [Ping timeout: 264 seconds]
22:15
MichaelRaskin has joined #nixos-security
22:19
ehmry has quit [Read error: Connection reset by peer]
22:21
ehmry has joined #nixos-security
22:42
flx is now known as migy
22:43
migy is now known as flx
23:24
<
andi- >
name is not legacy at all. derivation still takes name, not pname. pname + version is a (imho controversial) QoL change. When dealing with packages in nix you must always make a distinction between attribute name and (package) name. Often you can only match CPEs against one of them but not both.