2023-09-06 20:56:24 <ikke> ouch, grafana leaked their package signing key + passphrase: https://grafana.com/blog/2023/09/06/grafana-security-update-post-incident-review-and-timeline-for-gpg-signing-key-rotation/
2023-09-06 21:01:40 <jvoisin> who needs HSM anyway
2023-09-06 21:02:24 <ikke> We could use a couple
2023-09-06 21:03:33 <jvoisin> https://www.yubico.com/fr/product/yubihsm-2-series/yubihsm-2 650USD
2023-09-06 21:04:03 <jvoisin> albeit to be fair, GPG keys on yubikey would be more than enough
2023-09-06 21:05:58 <ikke> but it needs to be available to the builders all the time
2023-09-06 21:17:44 <minimal> HSMs usually seem to have crappy software lol
2023-09-11 09:03:34 <omni> ncopa: !51335
2023-09-11 09:05:05 <omni> from the pipelines it looks like some files in /usr/bin are removed compared to previous versions, not sure if expected or build need to be modified to explicitly build them
2023-09-11 10:13:55 <omni> nvm
2023-09-12 21:42:12 <omni> https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
2023-09-12 21:42:30 <omni> upgrade to 116.0.5845.187 in 3.18 too or other?
2023-09-12 21:44:00 <ikke> I think it makes sense to upgrade it to 116
2023-09-12 21:47:39 <omni> then I saw this https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html
2023-09-12 21:47:49 <omni> not sure if secfixes has been kept up-to-date
2023-09-12 22:19:02 <omni> I won't look at it now myself
2023-09-13 08:20:14 <ikke> omni: the question is if it makes sense to duplicate all these secfixes where the information is already available in the CVE / CPE.
2023-09-13 08:21:34 <omni> ikke: I meant secfixes as in the section in the APKBUILD
2023-09-13 08:21:41 <omni> or am I missing something?
2023-09-13 08:22:46 <ikke> I'm talking about the same 
2023-09-13 08:24:11 <omni> then I'm not sure when we need to add CVE numbers to the APKBUILD files or not
2023-09-13 08:24:48 <ikke> Traditionally we added them for every CVE
2023-09-13 08:24:57 <omni> only if it's not obvious from the version?
2023-09-13 08:25:32 <ikke> But psykose started to leave them out in case the upgraded version is known to be not affected 
2023-09-13 08:25:54 <ikke> The only reason not to do that is because of lazy security scanners 
2023-09-13 08:26:11 <ikke> (not to leave them out)
2023-09-13 08:26:47 <omni> ok, seems reasonable
2023-09-13 08:27:30 <ikke> Another reason is that it also updates security.a.o in case that hasn't been done by data from the nvd
2023-09-13 08:30:27 <omni> ncopa: wrt libarchive, should I continue with 3.7.2 upgrades for 3.15-3.17? rather than adding patches, that I'm less comfortable with. there's also secfixes in the 3.7.1 release
2023-09-13 08:31:17 <omni> I think the dependencies are on libarchive.so.13 rather than libarchive.so.13.x.y
2023-09-13 08:31:40 <ncopa> i would expect it to be ABI compatible yes
2023-09-13 08:31:49 <ncopa> hum
2023-09-13 08:32:45 <ncopa> i think we can continue update to libarchive 3.7.2 for the other stable branches as well
2023-09-13 08:32:54 <ncopa> should be low risk for breakages
2023-09-13 08:33:02 <ncopa> and it will make it easier for the future
2023-09-13 08:33:18 <omni> ok
2023-09-13 08:58:42 <ncopa> thank you!
2023-09-13 09:07:13 <omni> np
2023-09-13 10:50:47 <ikke> -fstack-protected was not working properly on arm64: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
2023-09-13 10:51:24 <ikke> https://lwn.net/Articles/944307/ mentions that packages would need to be rebuilt
2023-09-13 11:20:28 <ncopa> sounds fun
2023-09-13 11:39:26 <ncopa> im not sure its realistic to rebuild the world. at least not for the stable branches
2023-09-13 12:01:00 <jvoisin> clang had a similar issue a couple of years ago :o)
2023-09-13 16:48:05 <omni> !51544
2023-09-13 16:48:13 <omni> what is the preferred language here?
2023-09-13 16:49:05 <omni> I've seen (and used) "add mitigations for", "fix" and "patch"
2023-09-13 17:04:39 <fluix> not on alpine at this moment but whatever the security flag is for abump uses "pkg: security upgrade to x.y.z (CVE-...)"
2023-09-13 17:07:33 <omni> that is when there is a pkgver bump
2023-09-13 17:08:02 <ikke> Not a strong opinion, I'd say "patch"
2023-09-13 17:08:22 <fluix> ah, yeah I support patch but no strong opinion either
2023-09-13 17:08:41 <ikke> like you said, the messages are all over the place
2023-09-13 17:20:49 <omni> it's such a nitpick but I felt like not introducing additional messages
2023-09-13 17:21:09 <omni> so I think I'll reword it, but keep the author ofcourse
2023-09-13 17:21:50 <omni> just want to eyeball the patch a bit, as in comparing it to mozillas patch and the original
2023-09-13 17:21:54 <omni> then merge
2023-09-13 17:55:04 <omni> !51549
2023-09-13 17:58:28 <omni> patch seems to also apply cleanly on 1.2.2 through 1.2.4 that we have in 3.15 through 3.17
2023-09-13 18:13:22 <omni> !51550 !51551 !51552
2023-09-13 18:22:32 <ikke> omni: thanks for working on that
2023-09-13 18:26:09 <omni> I hope the patch does more than just pass builds :D
2023-09-13 18:26:33 <ikke> Yeah, that's always the tricky part
2023-09-13 18:28:26 <omni> I'll leave it to someone else to feel confident enough to merge to the stable branches
2023-09-13 18:31:23 <omni> chromium still needs to be patched/upgraded in 3.18 for the same CVE
2023-09-13 18:33:00 <ikke> maybe you can poke elly 
2023-09-13 23:10:49 <jvoisin> https://codesearch.debian.net/search?q=coefficients+are+valid+but+do+not+store+them&literal=1
2023-09-13 23:11:20 <jvoisin> Alpine doesn't have an equivalent, but I'm sure there is a ton of embeded copies of webp in a lot of packages
2023-09-14 00:19:42 <sam_> not sure i'd call it a ton
2023-09-14 00:19:44 <sam_> the qt ones are all the same
2023-09-14 09:25:46 <omni> !51584 !51585
2023-09-14 09:40:29 <omni> !51586 !51587
2023-09-14 10:09:55 <omni> besides testing/godot, are there others we have not yet touched?
2023-09-19 21:59:16 <omni> they didn't release XSA-438 on time https://xenbits.xen.org/xsa/
2023-09-28 07:02:54 <omni> https://xenbits.xen.org/xsa/advisory-439.html
2023-09-28 07:03:51 <omni> now not even a patch is supplied so we need to create our own from the git trees
2023-09-28 07:06:11 <omni> and they've previously said that their infrastructure makes it cumbersome to do point releases, why they don't do that often and never as soon as there is a security update, as I've begged for
2023-09-28 07:12:05 <omni> begged as in that I've asked for it multiple times and told them how not doing point releases and having XSA patches only apply to the tip of each stable-branch makes it harder for some downstreams like ours to patch
2023-09-28 07:48:28 <omni> !52435 !52436 !52437 !52439 !52440
2023-09-30 07:40:04 <celie> It seems there are some new CVEs for Exim: https://seclists.org/oss-sec/2023/q3/254
2023-09-30 07:40:54 <celie> "Fixes are available in a protected repository and are ready to be applied by the distribution maintainers."
2023-09-30 09:13:00 <ikke> I don't think we have access to those 
2023-09-30 09:16:02 <celie> Hopefully the patches will released to everyone soon
2023-09-30 14:10:35 <jvoisin> related to exim: https://wiki.debian.org/Debate/DefaultMTA