← Previous · All Episodes · Next →
nixpkgs.news 2024-03-21 Episode 2

nixpkgs.news 2024-03-21

· 20:15

|

Intro: Welcome to the Full-time Nix podcast. Today we have a reading in Nix Packages News for March 31st, 2024. nixpkgs.news is a service curated by Nix contributor Jake Hamilton, and it covers the latest in events related to the Nix Packages GitHub repository. It can be accessed at nixpkgs.news. Our hosts today are Shahar "Dawn" Or and Samyak Sarnayak.

Dawn: Are you feeling lucky? The NixOS community certainly is after, to the best of our knowledge, avoiding a critical backdoor in xz/liblzma (CVE-2024-3094). The security team will still be downgrading the xz package to 5.4.6 to be safe, but this process will result in a mass rebuild of hundreds of packages meaning that it will take a little more than a week to complete. Note that users can switch the version of the package early if they are willing to perform the builds on their systems. It is not clear whether other vulnerabilities exist in xz or other projects that the attacker has contributed to. A helpful writeup of the events leading up to this point was posted by Evan Boehs and an official page from the original xz author is available here.

Samyak: With May quickly approaching, a call for a release manager and editor of the 24.05 NixOS release has been made. @figsoda goes into detail about the release process and requirements for these roles. If you are interested in this position, you can get in touch via the announcement’s comments or on Matrix.

Dawn: The end of this week also saw the creation and move to final comment period of a new, exciting RFC: RFC 0173 FCP; NixOS hotline. The community is urged to read it quickly before it is merged in. What an exciting time to be a NixPkgs contributor! From Lassulus: "Hi everybody. To celebrate the good times, we started RFC 0173 and put it immediately into FCP. So read it fast before it is merged." Let's have a read. Hotline. Is this April 1st?

Samyak: Hmm.

Dawn: Isn't it?

Samyak: Very likely.

Dawn: Feature: "NixOS PR hotline". Start date: April 1st. Author: "trollulus". Co-authors: riotbib, rtrollreal, b-kenji, and... anyway. Summary: "Bring the power of German bureaucracy to Nixpkgs by using a sophisticated telephone system to interact with pull requests." If you want the whole thing, go ahead and read it. We will be moving on.

Samyak: @cdmistman announced the release of rippkgs, a tool capable of searching nixpkgs in under 30 milliseconds.

Dawn: 30 milliseconds, how quick is that? A blink of an eye!

Samyak: 2 frames in a 60 FPS video.

Dawn: That's quite an accurate description, thank you.

Samyak: For more information on how the tool works and what makes it different from other existing programs like nix-index, check out the Replit blog post.

Dawn: Very well. @Mic92 has posted a call for testers for nix-ld-rs, a rewrite of the original nix-ld. If you are currently using nix-ld and/or would like to help make sure the new version is working well, please consider testing out the project and reporting any regressions from the original nix-ld on GitHub.

Samyak: @reckenrode has started a new thread to share updates on Darwin in nixpkgs, separate from the previous thread cataloguing sponsored work.

Dawn: @fricklerhandwerk posted a full roadmap for the Nix documentation ecosystem. Documentation has been a pain point for many Nix newcomers as well as veterans and seeing the issues being addressed in a clear outline is great. Thank you to @danielsidhion and everyone else contributing to the improvement of learning and reference materials for Nix. Thank you indeed.

Samyak: That was good. Last week an important update to the way venv creation in Python environments works was made by @cwp to correct the previous, subtly broken, implementation. This was not mentioned in the previous nixpkgs.news article, but is worth knowing about for anyone using Python with Nix.

Dawn: Alright. This week we have 57 new packages. Are you ready for this? So here is the list. @9999years added git-upstream. git-upstream is a shortcut for git push with the --set-upstream flag, whatever the result of git remote is and then whatever the result is of git rev-parse with the --abbrev-ref HEAD arguments is. So if that sounds useful, you have it now.

Samyak: @aaronjheng added protobuf_26.

Dawn: @Aleksanaa added ascii-draw. What is ascii-draw? It's an app, it's a GUI app to draw diagrams or anything, using only ASCII. Wow. I'd like to play with that.

Samyak: Yeah that’s good. @Aleksanaa also added pdf4qt. It's an open source PDF editor powered by the Qt framework.

Dawn: PDF editor, cool! @alexarice added emacsPackages.texpresso, which is an Emacs mode for texpresso.

Samyak: LaTeX editing in Emacs. That seems useful. @Atemu added memtest_vulkan which is a Vulkan compute tool for testing video memory stability.

Dawn: @bhankas added workout-tracker. It's a workout tracking web application for personal use or family friends, geared towards running and other GPX-based activities.

Samyak: @ByteSudoer added gtkhash. gtkhash is a desktop utility for computing message digests or checksums. Supports well-known hash functions like MD5, SHAs and BLAKE2.

Dawn: @camillemndn added firefoxpwa, which is a tool to install, manage, and use progressive web apps in Mozilla Firefox.

Samyak: @dotlambda added mollysocket. mollysocket allows getting signal notifications via unified push.

Dawn: @drupol added lmstudio. lmstudio: "discover, download, and run local LLMs."

Samyak: @drupol added rabbit. rabbit is a recursive acronym for "rabbit is an activity-based bot identification tool." Classification models identify bot accounts based on their recent activities in GitHub.

Dawn: @drupol also added typstyle. It's a typst source code formatter because everything needs a source code formatter.

Samyak: Yep. I think this is only the first of the two typst tools we'll see today. @drupol also added a VS code extension called jbockle-format-files, which is a VS code extension that formats all files in the current workspace, selected folder or based on a glob.

Dawn: And finally, @drupol added vscode-extensions.myriad-dreamin.tinymist. tinymist is an integrated language server for typst.

Samyak: @emilioziniades added dotnet-outdated, which is a .NET Core global tool to display and update outdated NuGet packages in a project.

Dawn: @fabaff added cvemap. Navigate the Common Vulnerabilities and exposures (CVE) jungle with ease using cvemap, a command line interface tool designed to provide a structured and easily navigable interface to various vulnerability databases. You know, it says CLI tool, but I kind of see a text UI. Which looks like a table in the screenshot, but it's probably a little bit more than that.

Samyak: @fabaff also added a Python package called romy, which is a library for the Home Assistant ROMY integration.

Dawn: @fabaff also added a Python library, llama-index-embeddings-ollama. It provides programmatic startup/shutdown of ASGI apps.

Samyak: @fabaff also added a Python package called securityreporter, which is a Python wrapper around the reporter API.

Dawn: @fabaff also added vunnel. vunnel is a tool for fetching, transforming and storing vulnerability data from a variety of sources.

Samyak: @fabaff also added word-serpent-search, which is a CLI tool for vulnerability detection. It allows you to scan directories for various types of vulnerabilities, like XSS, authentication bypass, and others using the National Vulnerability Database.

Dawn: @fabaff also added wsrepl, a WebSocket REPL for pentesters.

Samyak: @gaelreyrol added a Python package called pulsar, which is the Python client for Apache Pulsar. Pulsar is like Kafka, but more modern and scalable.

Dawn: @GaetanLepage added bunbun, a simple and adorable sysinfo utility written in Rust. Why not?

Samyak: @GaetanLepage also added a Vim plugin called improved-search-nvim, which is a neovim plugin that improves the search experience.

Dawn: @GaetanLepage also added Vim plugin qmk-nvim. qmk-nvim is a 100% Lua plugin for neovim that formats QMK keymaps used in a large number of mechanical and hobbyist keyboards.

Samyak: @Guanran928: added mpv-osc-modern, modernx, and modernx-zydezu, three plugins for mpv, the video player.

Dawn: @hatch01 added httpy-cli. httpy is a modern user-friendly, programmable and filterable command line HTTP client for the API.

Samyak: @hennk added poetry-plugin-poeblix. It's a poetry plugin that adds various features that extend the poetry command such as building wheel files with log dependencies and validations of wheel or Docker containers.

Dawn: @jnsgruk added rockcraft. It's an application which is a tool for building OCI container images.

Samyak: @johnringer added autoAddDriverRunPathHook.

Dawn: @katanallama added vscode-extensions.ms-toolsai.datawrangler. datawrangler is a code-centric data viewing and cleaning tool that is integrated into VS Code and VS Code Jupyter notebooks. It provides a rich user interface to view and analyze your data, show insightful column statistics and visualizations, and automatically generate pandas code as you clean and transform the data.

Samyak: @kintrix007 added vlc-bittorrent, which is a plugin for VLC that allows you to open a torrent file or a magnet link directly with VLC. @Lilacious added railway-travel, which lets you look up travel information for many different railways, all without needing to navigate through different websites.

Dawn: That should be useful. @MatthewCroughan added scion-bootstrapper. This repository contains a bootstrapper for network configuration. It retrieves hints from available zero-conf services to discover the IP address and port of the discovery server serving the actual configuration files over HTTP.

Samyak: @mkg20001 added docuum. docuum performs least recently used eviction of Docker images to keep the disk usage below a given threshold. Docker plus Vacuum.

Dawn: Yes. Brilliant name. @mweinelt added wyoming-satellite. It's a replacement for the now-archived Home Assistant satellite package.

Samyak: @n8henrie added single-file-cli. SingleFile is a web extension for saving a faithful copy of a complete web page in a single HTML file.

Dawn: @OPNA2608 added famistudio. It's an NES music editor.

Samyak: @OPNA2608 also added rcu. It stands for Remarkable Connection Utility. It's an all-in-one offline/local management software for remarkable e-paper tablets, the RM1 and the RM2.

Dawn: @pinpox added wastebin. A minimal pastebin with a design shamelessly copied from bin.

Samyak: Rycar added affine. affine is a workspace with fully merged docs, whiteboards, and databases. Sounds like a Notion alternative.

Dawn: Looks quite like that as well. @RossComputerGuy added llvmPackages_18.

Samyak: @rsniezek added protonmail-desktop, which is a desktop application for ProtonMail and their calendar, made with Electron.

Dawn: @s1ls added invidious-router. invidious-router is a Go application that routes requests to different invidious instances based on their health status and optional response time.

Samyak: @sarahec, he added Python package scalene. scalene is a high-performance CPU, GPU and memory profiler for Python.

Dawn: @sarcasticadmin added aprx, digipeater software. aprx is a software package designed to run on any POSIX platform and act as an APRX digipeater and/or internet gateway.

Samyak: @Scrumplex added wlx-overlay-s, which is a lightweight OpenXR/OpenVR overlay for Wayland and X11 desktops.

Dawn: @t4ccer added buttermanager. buttermanager is a BTRFS tool for managing snapshots, balancing file systems, and upgrading the system safely.

Samyak: @vbgl added ocamlPackages_6_2.ocaml.

Dawn: @Vinetos added kmeet. kmeet allows you to organize secure online meetings via your web browser, your mobile, your tablet, or your computer.

Samyak: @Venatos added quarkus, which is a Kubernetes-native Java stack tailored for OpenJDK Hotspot and GraalVM, crafted from the best-of-breed Java libraries and standards.

Dawn: @wineee added wayfirePlugins.focus-request, wayfirePlugins.wayfire-shadows, and wayfirePlugins.wwp-switcher.

Samyak: @wolfgangwalther: added python3Packages.sphinx-rtd-dark-mode. Sounds like a dark mode plugin for documentation generator Sphinx.

Dawn: @yunfachi added uni-sync, a synchronization tool for Lian Li Fan controllers.

Samyak: We have one new module added this week. @s1ls added invidious-router...

Dawn: which we mentioned as a package. And we have 10 security fixes this week. @adamcstephens updated consul to fix CVE-2024-24786.

Samyak: @buckley310 updated brave to fix CVE-2024-2883, CVE-2024-2885, CVE-2024-2886, and CVE-2024-2887.

Dawn: @jian-lin updated emacs to fix CVE-2024-30205, CVE-2024-30204, CVE-2024-30203, and CVE-2024-30202.

Samyak: @LeSuisse patched expat to fix CVE-2024-28757.

Dawn: @LeSuisse updated coreutils to fix CVE-2024-0684.

Samyak: @natsukium updated python310 to fix CVE-2023-52425, CVE-2024-0450, and CVE-2023-6597.

Dawn: @networkException updated ungoogled-chromium to fix CVE-2024-2883, CVE-2024-2885, CVE-2024-2886, and CVE-2024-2887.

Samyak: @risicle updated risicle to fix CVE-2024-26540.

Dawn: @stigtsp updated perlPackages.HTTPBody to fix CVE-2013-4407.

Samyak: That's a long-standing issue. @yayayayaka updated gitlab to fix CVE-2023-6371 and CVE-2024-2818.

View episode details


Creators and Guests

Samyak Sarnayak
Host
Samyak Sarnayak
rust, open source, PL, and systems enthusiast
Shahar
Host
Shahar "Dawn" Or
Full Time Nix Podcast | Molybdenum Software Show | Software Teaming | open source | Nix | Rust

Subscribe

Listen to Full Time Nix using one of many popular podcasting apps or directories.

Apple Podcasts Spotify Overcast Pocket Casts Amazon Music
← Previous · All Episodes · Next →