gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
ris has quit [Ping timeout: 240 seconds]
davidtwco has quit [Read error: Connection reset by peer]
raboof has quit [Read error: Connection reset by peer]
midchildan has quit [Ping timeout: 260 seconds]
davidtwco has joined #nixos-security
raboof has joined #nixos-security
midchildan has joined #nixos-security
zarel has quit [Ping timeout: 256 seconds]
maljub01 has quit [Ping timeout: 256 seconds]
maljub01 has joined #nixos-security
zarel has joined #nixos-security
maljub01 has quit [Client Quit]
maljub01 has joined #nixos-security
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-security
maljub017 has joined #nixos-security
maljub01 has quit [Ping timeout: 260 seconds]
maljub017 is now known as maljub01
justanotheruser has quit [Ping timeout: 268 seconds]
kalbasit has quit [Ping timeout: 268 seconds]
ninjin has quit [Remote host closed the connection]
ninjin has joined #nixos-security
FRidh has joined #nixos-security
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 268 seconds]
justanotheruser has joined #nixos-security
<__red__> Quick question (which is security related - I promise)
<__red__> When I hit the nixpkgs-stable channel and it feeds me a packages.json.br
<__red__> I have found packages taht differ in version in that file from what's in github when I look at the release-20.09 branch
<__red__> am I mistaken in thinking that those are equivalent?
<gchristensen> what channel are you looking at? (nixpkgs-stable isn't one :')
<__red__> Sorry - you're right
<__red__> Yes
<__red__> I follow the re-direct
<gchristensen> that .edb261... is the commit hash
<__red__> so I guess I'm trying to understand the relationship between say edb26126d98 and the branch release-20.09
<gchristensen> but also, the nixos-* branches on the nixpkgs repo should point to thecurrent channel revision
<__red__> I guess I expected release-20.09 to be ahead (since that's what people are cherrypicking commits into)
<gchristensen> yea
<__red__> and since I have an old version of mediawiki in release-20.09
<__red__> I'm confused as to why in packages.br it shows a newer version
<__red__> Okay - so it's not my understanding them
<gchristensen> hrm
<__red__> theN
<__red__> I'll manually verify it again
<__red__> I just wanted to make sure I understood correctly
<__red__> it may be a bug
<hexa-> 3002.1 on nov 3rd
<hexa-> I'll take care of iy
<hexa-> iy
<hexa-> it.
<aanderse> hexa-++
<{^_^}> hexa-'s karma got increased to 9
<__red__> Yup - it's a bug. Good, I'm glad it happened so now I have a better understanding of how this works.
rajivr has quit [Quit: Connection closed for inactivity]
tokudan has quit [Remote host closed the connection]
tokudan has joined #nixos-security
ris has joined #nixos-security
<gchristensen> anyone want to take a look-see at this little guy? https://github.com/NixOS/nixpkgs/pull/102175
<{^_^}> #102175 (by grahamc, 1 hour ago, open): amazon-image: random.trust_cpu=on to cut 10s from boot
<__red__> Question: Do we have a policy as to how we deal with packages with security vulns that are marked as unavailable or broken?
<__red__> Do we still push for them to be updated anyways in case someone comes along later and fixes / changes that metadata flag?
<gchristensen> updated -> no, because there is no way to check it if it is brokxen
<gchristensen> a package which is broken or marked as insecure is basically on its way to being deleted
<__red__> Coolio
<__red__> gchristensen: Do you know when you'll be heading out this evening roughly?
<__red__> I want to send you something brief
<__red__> if I miss you the world won't come to a screaming end - so finger in air etc...?
<gchristensen> about 1.5h :)
<__red__> doh - okay - thanks :-)
<__red__> I don't trust matrix to send messages and I want to send an image
<__red__> so I can just dump it here I guess
<__red__> np
<__red__> brb
<__red__> gchristensen: - In your messages
<__red__> I threw a screenshot in there
<gchristensen> nice! looks cool :D
<__red__> Yeah - it's coming on nicely
<__red__> I'm happy to talk about it publically
<__red__> I'm just looking for a way that I can help with the wall of issues we have
<__red__> I've been having a lot of fun
<__red__> and it works by regex
<__red__> so...
<__red__> for php
<__red__> so,
<__red__> Issue#: 88380 Vulnerability roundup 84: php-7.3.16: 1 advisory
<__red__> CVE Block:
<__red__> CVE-2020-7067: > 7.4.5
<__red__> CVE-2020-7067: > 7.3.17
<__red__> CVE-2020-7067: > 7.2.30
<__red__> nixpkgs-unstable : php-with-extensions-7.4.11 php 7.4.11
<__red__> nixos-20.09 : php-with-extensions-7.4.11 php 7.4.11
<__red__> You can see at a glance that that issue is likely ready to be closed
<__red__> I will confess - I'm very confused between all the differences between name, pname, key etc etc...
<__red__> Other things that easily fall out
<__red__> being able to get a list of all packages that differ in version between the two channels
<__red__> (although there's probably tooling to do that already)
<__red__> crap
<hexa-> name is legacy, pname is the new-style package name
<__red__> I got very confused because the key in the packages.json file is different again
<__red__> I'm currently hypothesizing that it's what's in all-packages.nix
<__red__> lemme find you an example
<__red__> cos it's weied
<__red__> and maybe you can help me iunderstand
<__red__> take a look at that
<__red__> same pname
<__red__> different projects
<__red__> so the key in the has in the packages.json in the one side is haskellPackages.mediawiki, the other just mediawiki
<__red__> so that's kinda why I'm confused as to what each of the things mean
lejonet has quit [Ping timeout: 264 seconds]
MichaelRaskin has joined #nixos-security
ehmry has quit [Read error: Connection reset by peer]
ehmry has joined #nixos-security
flx is now known as migy
migy is now known as flx
<andi-> name is not legacy at all. derivation still takes name, not pname. pname + version is a (imho controversial) QoL change. When dealing with packages in nix you must always make a distinction between attribute name and (package) name. Often you can only match CPEs against one of them but not both.