From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <discuss-bounces@spectrum-os.org>
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on atuin
X-Spam-Level: 
X-Spam-Status: No, score=-1.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=3.4.3
Received: from [127.0.1.1] (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id E2FD916908;
	Sun, 10 May 2020 23:31:51 +0000 (UTC)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29])
	by atuin.qyliss.net (Postfix) with ESMTPS id 2C83F16900;
	Sun, 10 May 2020 23:31:49 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
	by mailout.nyi.internal (Postfix) with ESMTP id 615095C002F;
	Sun, 10 May 2020 19:31:48 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute2.internal (MEProxy); Sun, 10 May 2020 19:31:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=
	from:to:cc:subject:in-reply-to:references:date:message-id
	:mime-version:content-type; s=fm3; bh=OibjNBAtF54uZbel6Qbti5CUbq
	1bblHOHcB0arFzSGc=; b=diLbyyACuQBs9HNs7adkVHHXBH58VrMPjRDflq70Fq
	ccpb6vh8f7GOFu5FeBIw64RdGe/HhABEub3hkLer8NtC2SftzYpn//pVGfKaozvA
	KcRvdIX4SX3uFlYw8huwikor5VUa1D+EWFE9ExVrNHtKtBhJfl+mCILHlO3HpoWq
	kJGrz8UXqcAXZzACX9Bfh89G4I0PFVGiIj2z4ya04gh1D4PqZAXbNqCM+zs/C8jE
	KAALABffgJ7LzfzlY6CeuoA8XXqz5PtB12ZxmuxSmmgthTdxCekJeVAEdzqu/ScZ
	73CH/ArCn7f7GcCEQO+Ml9oiH+0SOTJ5J6OjZ5Ss0sng==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=OibjNB
	AtF54uZbel6Qbti5CUbq1bblHOHcB0arFzSGc=; b=RJUUYN7PCSX03k74ViTvIb
	yZp+mBf7qQoXze8OjH27ybsU1aCdrwAZb0hnKQ3tIuHaG9R29AWBUnjk/GP70cNR
	GLWctXhLWXvXiXu2J84Vbu4PW3rOwjXAkMLba++wz9lLG0WpnRlmUmTQ+iSuINvO
	ftVkyH+ZovEl/PL33kadtm7Y7UrcJuD9f72dDgZXaTaygmI1BoBnyYA4YTKpedAJ
	DZfly1PX2dj8+jiI14Dpw8zyPuYVqrYznuqaQFwmfQQQ9go8rQLco9ZK4/s7b1qp
	hF91WVufpqrNQULoT+Zg4azpoMzWksKGhKlxNQq+/QzAQdzFsGEtjcvNqeYH7e+g
	==
X-ME-Sender: <xms:5I64Xht4T5NFXvFCwwnxeFwBfNCZZ4v64IRF1Bw-aDLb45MPcZPj5A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrkeelgddvudcutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc
    fjughrpefhvffujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu
    tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeekgefhvd
    ekfeelgffhvddvvdeghfeiffehudetgfeggfehtdegjeetvdeludeltdenucffohhmrghi
    nhepshhpvggtthhruhhmqdhoshdrohhrghdpghhithhhuhgsrdgtohhmnecukfhppeejle
    drvdefhedruddviedrudefvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep
    mhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhish
X-ME-Proxy: <xmx:5I64XiQh818skddHMPbq4mB0JtQEIe4lQytaVY2xpGE3VuCAvHu6ZQ>
    <xmx:5I64XgINwHkXX9o08oMd9qfSsdYzAhk316POdFltPWWs98oVRBZM_Q>
    <xmx:5I64XiCuEUcJgD_KOeUFWjrI14VEjImeYhPWdPzNDh9tembtC8-Vbg>
    <xmx:5I64Xse9hqiJy0hfDZ3Z2nVqcuxukgGtMR7kjaE1aCsrom_S2fEC9w>
Received: from x220.qyliss.net (p4feb7e84.dip0.t-ipconnect.de [79.235.126.132])
	by mail.messagingengine.com (Postfix) with ESMTPA id D0BB93066264;
	Sun, 10 May 2020 19:31:47 -0400 (EDT)
Received: by x220.qyliss.net (Postfix, from userid 1000)
	id CB897105F; Sun, 10 May 2020 23:31:46 +0000 (UTC)
From: Alyssa Ross <hi@alyssa.is>
To: discuss@spectrum-os.org, devel@spectrum-os.org
Subject: Re: This Week in Spectrum, 2020-W19
In-Reply-To: <87a72fpe90.fsf@alyssa.is>
References: <87a72fpe90.fsf@alyssa.is>
Date: Sun, 10 May 2020 23:31:44 +0000
Message-ID: <877dxjpdsv.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Message-ID-Hash: OPKQJKNZJT4OX36IVRBJN4TKLGMZOQF7
X-Message-ID-Hash: OPKQJKNZJT4OX36IVRBJN4TKLGMZOQF7
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
CC: Puck Meerburg <puck@puckipedia.com>
X-Mailman-Version: 3.3.0
Precedence: list
List-Id: General high-level discussion about Spectrum <discuss.spectrum-os.org>
Archived-At: <https://spectrum-os.org/lists/hyperkitty/list/discuss@spectrum-os.org/message/OPKQJKNZJT4OX36IVRBJN4TKLGMZOQF7/>
List-Archive: <https://spectrum-os.org/lists/hyperkitty/list/discuss@spectrum-os.org/>
List-Help: <mailto:discuss-request@spectrum-os.org?subject=help>
List-Post: <mailto:discuss@spectrum-os.org>
List-Subscribe: <mailto:discuss-join@spectrum-os.org>
List-Unsubscribe: <mailto:discuss-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain

> I think that's it for this week, although honestly there have been so
> many different things going on I've probably missed something.

Oh, I know what I forgot!

cgit
----

I upgraded <https://spectrum-os.org/git/> from cgit 1.2.1 to 1.2.3,
which involved bumping cgit in Nixpkgs[1].

[1]: https://github.com/NixOS/nixpkgs/pull/87412


Nix
---

This actually happened last week, but I forgot it then too.  It also is
_technically_ not Spectrum work, but it's an issue with an important
Spectrum component that I found while working on Spectrum.

I found and fixed a denial-of-service issue in Nix that would let a
malicious derivation permanently break Nix store garbage collection
until the administrator manually intervened.

The commit message[2] has an extremely detailed write-up of what went
wrong.  Thanks to puck for helping me with the reproduction and fix.

[2]: https://github.com/NixOS/nix/commit/c05e20daa1abb3446e378331697938b78af2b3d7

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAl64juAACgkQ+dvtSFmy
ccAYnhAAgnkaw0Qu2nmc2BD2s13u09jS2OQayYzA5mk1d+n9cGLhgLPkxIcFSO2H
ZRowKsaeCoYIwKf8c7Gob/GbpspQYwNmuiJChhwpPgS35fBYt3kaS0gIEOq5Ua4S
Xh2LJCeiei2TTQGQjdmSvM5187O4NUZu2mqnwsYVGw9GWlbq+jzKj+4yV6/Wcx4r
MJaK48tIMJF3WeC65zJDLHrNwmj5wAuNn7rqP0aTP0aMuXoeNICVEoLghY78NgtY
itOIhneW64mAdCd4ln5E8/g8r2JVLBYTmUMAIRx+GwwbKmc9PhD559v+wBHxeUQM
SmPEfQeJMQJHiRchcwKpVEgpK2MqJ52iogrBQO4EWL60X2mMBfyamVRGj5XV8kGS
GdHg7wlC9BlKF8x8dJUi+OflGHo45s4tXEsvmWcFccSmymG9gKAQnX+xUZsracwP
OGtMFM+he+OqKBpjyg1aySPsRO0sR9EgAWq+sxFL7oZE3IQ8dffb1PI693wMjHzN
5ohIIm5OoJQx8V8DHWAjDprW+ajjrW6VNEaLRXQpra9gC+RU48K+vju47d7zUMf7
qpy/PCtMBE//gGWZ7Ph7No0L9WWSNqOw8t1lXzfBBiUfjX7hGzj1/y1TI3Qwyboh
ugJ/nwxA10qsbmHLkeSB8X+WxZGJQDXjZ+e0JwU1+A/OaKfesc0=
=hWzs
-----END PGP SIGNATURE-----
--=-=-=--