<hexa->
Description: Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
<hexa->
Description: Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
rajivr has quit [Quit: Connection closed for inactivity]
rajivr has joined #nixos-security
supersandro2000 has quit [Quit: Ping timeout (120 seconds)]
supersandro2000 has joined #nixos-security
cole-h has joined #nixos-security
fabian_a has joined #nixos-security
<julianst[m]>
I noticed that gitlab is somewhat stale in 20.09. It's at 13.6.1 with the current minor version is 13.6.7 which includes security fixes. :( the gitlab-runner is at an even older version. Is the right path here to backport major version upgrades from unstable or to bump the minor versions to the latest we get?
<supersandro2000>
security related things like firefox or synapse the matrix server regularly get security backports
<supersandro2000>
if the gitlab updates are non breaking to existing installations I would try to contact the maintainers and coordinate that
<supersandro2000>
backports are often forgotten because they need to be done manually and many developers are on unstable and do not notice it
<julianst[m]>
ok
ckauhaus has joined #nixos-security
cole-h has quit [Ping timeout: 260 seconds]
fabian_a has quit [Quit: Leaving]
faffolter has joined #nixos-security
<flokli>
julianst[m]: gitlab updates always were a big chunk of manual labor. The updater helped with that, but most of the time, whatever update on master happened was backported to the release branch. I think mostly due to the lack of time to maintain a second "stable" track
<julianst[m]>
flokli: bumping gitlab to 13.6.7 with the updater was relatively painless
<flokli>
Yes, it was much more work before :-D
<julianst[m]>
so kudos to whoever wrote the script :)
<flokli>
Thanks :-D
<julianst[m]>
I think it's okay to bump the minor versions in stable as long as there are any. this has minimal explosion potential.
<flokli>
But others improved and kept it in shape, too
<julianst[m]>
that being said, our internal gitlab updates have been very painless. but we use the prepackaged docker container from upstream
<flokli>
julianst[m]: yes, only bumping to minor versions as long as they are supported is preferred
<julianst[m]>
flokli: what's with the `deps.nix` files the script generates but that are not referenced?
<flokli>
might be an artifact of running some go2nix tool before
<julianst[m]>
too many language specific packaging tools... ;)
<flokli>
julianst[m]: I think they don't exist on master anymore
<flokli>
see 3157904d4a9f1e83cea261542fc046b02152d712
<flokli>
I added a comment, currently running the tests
<julianst[m]>
flokli: the deps files are already gone even in 20.09
ris has quit [Ping timeout: 264 seconds]
<flokli>
> flokli: what's with the `deps.nix` files the script generates but that are not referenced?
<{^_^}>
error: syntax error, unexpected WITH, expecting ')', at (string):475:16
<flokli>
does it still do that or not?
<julianst[m]>
flokli: the script generate deps files, but they are not used as far as I can see. If there were old versions of the deps files they are also gone in stable.
<julianst[m]>
so it seems there is a backport missing for the script itself
<julianst[m]>
let me check..
<julianst[m]>
there is only 44108c5d7ca2aa12c8dd1fbee405f14693f5bd98 missing
ris has joined #nixos-security
tilpner_ has joined #nixos-security
tilpner has quit [Ping timeout: 264 seconds]
tilpner_ is now known as tilpner
<flokli>
Hmmh
ris has quit [Ping timeout: 260 seconds]
ris has joined #nixos-security
pie_ has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]