Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update nixpkgs (2024-11-25) #1174

Merged
merged 1 commit into from
Nov 26, 2024
Merged

Update nixpkgs (2024-11-25) #1174

merged 1 commit into from
Nov 26, 2024
+127 −79

Conversation

osnyx
Copy link
Member

@osnyx osnyx commented Nov 25, 2024
edited
Loading

Pull upstream NixOS changes, security fixes and package updates:

  • ghostscript: 10.03.1 -> 10.04.0
  • git: 2.44.1 -> 2.44.2
  • gitaly: Embed git binaries
  • gitlab: 17.2.9 -> 17.3.7
  • go_1_22: 1.22.6 -> 1.22.8
  • go_1_22: 1.22.6 -> 1.22.8, (#345953)
  • grafana: 10.4.11 -> 10.4.12
  • imagemagick: 7.1.1-38 -> 7.1.1-39
  • libtiff: patch for CVE-2023-52356 & CVE-2024-7006
  • matrix-synapse: 1.118.0 -> 1.119.0
  • nodejs_18: 18.20.4 -> 18.20.5
  • nodejs_22: 22.8.0 -> 22.10.0, (#349157)
  • nspr: 4.35 -> 4.36
  • nss_latest: 3.105 -> 3.106
  • postgresql_12: 12.20 -> 12.21
  • postgresql_13: 13.16 -> 13.17
  • postgresql_14: 14.13 -> 14.14
  • postgresql_15: 15.8 -> 15.9
  • postgresql_16: 16.4 -> 16.5
  • python311: 3.11.9 -> 3.11.10
  • python312: 3.12.5 -> 3.12.6
  • qemu: 8.2.6 -> 8.2.7
  • redis: 7.2.4 -> 7.2.6
  • unzip: apply patch for CVE-2021-4217
  • vim: 9.1.0707 -> 9.1.0765

PL-133203

@flyingcircusio/release-managers

Release process

  • Created changelog entry using ./changelog.sh

PR release workflow (internal)

  • PR has internal ticket
  • internal issue ID (PL-…) part of branch name
  • internal issue ID mentioned in PR description text
  • ticket is on Platform agile board
  • ticket state set to Pull request ready
  • if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

  • Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
  • All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

  • Security requirements defined? (WHERE)
    • regularly pull in security updates for software
    • must not introduce known regressions
    • check for breaking changes
  • Security requirements tested? (EVIDENCE)
    • automated tests still pass
    • test gitlab update in staging environment
    • check git log for fixed CVEs
    • checked changelog for breaking changes of: matrix-synapse, gitlab, element

@osnyx osnyx force-pushed the PL-133203-2405-update-nixpkgs-2024-11-25 branch 4 times, most recently from a9920db to 91c43bb Compare November 25, 2024 19:53
@osnyx osnyx marked this pull request as ready for review November 26, 2024 10:16
leona-ya
leona-ya reviewed Nov 26, 2024
View reviewed changes
Copy link
Member

@leona-ya leona-ya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit worried that the ghostscript darwin change (flyingcircusio/nixpkgs@7aae423) could lead to huge uncached rebuilds on our VMs.

leona-ya
leona-ya approved these changes Nov 26, 2024
View reviewed changes
Copy link
Member

@leona-ya leona-ya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ghostscript darwin commit is not an issue on our VMs (tested with python3Packages.ocrmypdf). Otherwise looks also fine to me.

@osnyx
Update nixpkgs (2024-11-25)
37fa8d4 
Pull upstream NixOS changes, security fixes and package updates:

- chromium: 130.0.6723.69 -> 130.0.6723.116 (CVE-2024-10826, CVE-2024-10827, CVE-2024-10487, CVE-2024-10488)
- element-web: 1.11.82 -> 1.11.85
- firefox: 132.0 -> 132.0.2
- ghostscript: 10.03.1 -> 10.04.0
- git: 2.44.1 -> 2.44.2
- github-runner: 2.320.0 -> 2.321.0
- gitlab: 17.2.9 -> 17.3.7
- go_1_22: 1.22.6 -> 1.22.8
- go_1_22: 1.22.6 -> 1.22.8, (#345953)
- grafana: 10.4.11 -> 10.4.12
- imagemagick: 7.1.1-38 -> 7.1.1-39
- libtiff: patch for CVE-2023-52356 & CVE-2024-7006
- matrix-synapse: 1.118.0 -> 1.119.0
- nodejs_18: 18.20.4 -> 18.20.5
- nodejs_22: 22.8.0 -> 22.10.0, (#349157)
- nspr: 4.35 -> 4.36
- nss_latest: 3.105 -> 3.106
- postgresql_12: 12.20 -> 12.21
- postgresql_13: 13.16 -> 13.17
- postgresql_14: 14.13 -> 14.14
- postgresql_15: 15.8 -> 15.9
- postgresql_16: 16.4 -> 16.5
- python311: 3.11.9 -> 3.11.10
- python312: 3.12.5 -> 3.12.6
- redis: 7.2.4 -> 7.2.6 (CVE-2024-31449, CVE-2024-31227, CVE-2024-31228)
- unzip: apply patch for CVE-2021-4217
- vim: 9.1.0707 -> 9.1.0765 (CVE-2024-47814)

PL-133203
@osnyx osnyx force-pushed the PL-133203-2405-update-nixpkgs-2024-11-25 branch from 91c43bb to 37fa8d4 Compare November 26, 2024 14:00
@osnyx osnyx merged commit f4b546a into fc-24.05-dev Nov 26, 2024
1 check passed
@osnyx osnyx deleted the PL-133203-2405-update-nixpkgs-2024-11-25 branch November 26, 2024 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leona-ya leona-ya leona-ya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@osnyx @leona-ya