Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update nixpkgs (2024-09-23) #1113

Merged
merged 8 commits into from
Sep 27, 2024
Merged

Update nixpkgs (2024-09-23) #1113

merged 8 commits into from
Sep 27, 2024

Conversation

dpausp
Copy link
Member

@dpausp dpausp commented Sep 24, 2024
edited
Loading

Update nixpkgs (2024-09-23)

Pull upstream NixOS changes, security fixes and package updates:

  • asterisk: 20.9.2 -> 20.9.3
  • cacert: 3.101 -> 3.104
  • calibre: add patches for CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009
  • clamav: 1.3.1 -> 1.3.2
  • curl: apply patch for CVE-2024-8096
  • k3s_1_28: 1.28.12+k3s1 -> 1.28.13+k3s1
  • k3s_1_29: 1.29.7+k3s2 -> 1.29.8+k3s1
  • k3s_1_30: 1.30.3+k3s1 -> 1.30.4+k3s1
  • k3s_1_31: init 1.31.0+k3s1
  • python312: 3.12.4 -> 3.12.5
  • python3Packages.urllib3: 2.2.1 -> 2.2.2
  • ruby: 3.3.4 -> 3.3.5
  • runc: 1.1.12 -> 1.1.14
  • slurm: 23.11.9.1 -> 23.11.10.1
  • strace: 6.10 -> 6.11
  • tcpdump: 4.99.4 -> 4.99.5
  • unifi7: mark insecure due to CVE-2024-42025
  • unifi8: 8.1.127 -> 8.4.62
  • vim: 9.1.0377 -> 9.1.0707

PL-133043

Additional commits:

  • update_nixpkgs rebase fixes and output improvements
  • various additions and removals in the important package list
  • pinned kernel to 5.15.164 (no change)
  • brought back k3s 1.27 in our nixpkgs fork which was removed upstream

@flyingcircusio/release-managers

Release process

Impact:

Changelog:

(include pkg changes)

PR release workflow (internal)

  • PR has internal ticket
  • internal issue ID (PL-…) part of branch name
  • internal issue ID mentioned in PR description text
  • ticket is on Platform agile board
  • ticket state set to Pull request ready
  • if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

  • Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
  • All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

  • Security requirements defined? (WHERE)
    • pull in upstream security fixes from nixpkgs and for Gitlab regularly
  • Security requirements tested? (EVIDENCE)
    • automated tests still run, works on various test VMs, including a Gitlab test machine
    • checked commit log for fixed CVEs and possible problems with updates; looked at GitLab 17 changes | GitLab

@dpausp dpausp force-pushed the PL-133043-update-nixpkgs-2024-09-23 branch from 5bb73ae to 11efebc Compare September 24, 2024 20:25
@dpausp
update-nixpkgs: fix NixOSVersion.upstream_branch
239491a
@dpausp
update-nixpkgs: fix rebasing to origin and improve status output
15584db
@dpausp
update-nixpkgs: run_on_hydra call error handling
9408cd4
@dpausp
important packages: add more k3s and go versions
ebefcf9 
PL-133043
@dpausp
Update nixpkgs (2024-09-23)
cd4234b 
Pull upstream NixOS changes, security fixes and package updates:

- asterisk: 20.9.2 -> 20.9.3
- cacert: 3.101 -> 3.104
- calibre: add patches for CVE-2024-6781, CVE-2024-6782, CVE-2024-7008, CVE-2024-7009
- clamav: 1.3.1 -> 1.3.2
- curl: apply patch for CVE-2024-8096
- k3s_1_28: 1.28.12+k3s1 -> 1.28.13+k3s1
- k3s_1_29: 1.29.7+k3s2 -> 1.29.8+k3s1
- k3s_1_30: 1.30.3+k3s1 -> 1.30.4+k3s1
- k3s_1_31: init 1.31.0+k3s1
- linux_5_15: 5.15.164 -> 5.15.167
- python312: 3.12.4 -> 3.12.5
- python3Packages.urllib3: 2.2.1 -> 2.2.2
- ruby: 3.3.4 -> 3.3.5
- runc: 1.1.12 -> 1.1.14
- slurm: 23.11.9.1 -> 23.11.10.1
- strace: 6.10 -> 6.11
- tcpdump: 4.99.4 -> 4.99.5
- unifi7: mark insecure due to CVE-2024-42025
- unifi8: 8.1.127 -> 8.4.62
- vim: 9.1.0377 -> 9.1.0707

Additional package update by us:

- gitlab: 17.2.7 -> 17.2.8

PL-133043
@dpausp
important packages: remove obsolete go versions
8d20c90 
They have been removed from nixpkgs but we still tried to track their
versions.

PL-133043
@dpausp
important packages: remove obsolete unifi7
e040f33 
PL-133043
@dpausp dpausp force-pushed the PL-133043-update-nixpkgs-2024-09-23 branch from a697dc7 to e040f33 Compare September 26, 2024 08:08
@dpausp
kernel: pin stable version to 5.15.164
b747520 
We are trying out a 6.11 kernel in non-prod right now, for (most) prod
systems we like to keep the 5.15.164 kernel we have been using for some
time now. Before, we used a revert in our nixpkgs fork to get the
desired version but we have multiple kernel updates from upstream
nixpkgs now and we want to pin it here to avoid any unwanted
updates and confusion.

PL-133043
@dpausp dpausp marked this pull request as ready for review September 26, 2024 18:58
@dpausp dpausp merged commit e5ed327 into fc-24.05-dev Sep 27, 2024
2 checks passed
@dpausp dpausp deleted the PL-133043-update-nixpkgs-2024-09-23 branch September 27, 2024 10:00
@osnyx osnyx mentioned this pull request Oct 4, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctheune ctheune ctheune approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dpausp @ctheune