I think that's it for this week, although honestly there have been so many different things going on I've probably missed something.
Oh, I know what I forgot!
I upgraded https://spectrum-os.org/git/ from cgit 1.2.1 to 1.2.3, which involved bumping cgit in Nixpkgs.
This actually happened last week, but I forgot it then too. It also is _technically_ not Spectrum work, but it's an issue with an important Spectrum component that I found while working on Spectrum.
I found and fixed a denial-of-service issue in Nix that would let a malicious derivation permanently break Nix store garbage collection until the administrator manually intervened.
The commit message has an extremely detailed write-up of what went wrong. Thanks to puck for helping me with the reproduction and fix.