01:53 <cruxbridge> <emmett1> hello. Updating package 'xorg-libxmu' just encountered error about missing libtool file.

01:53 <cruxbridge> <emmett1> https://0x0.st/XsRb.log

03:39 <jaeger> You'll need to rebuild anything that owns a libtool file referencing that

03:39 <jaeger> grep libuuid.la /usr/lib/*.la, rebuild anything that matches

04:48 <cruxbridge> <emmett1> jaeger: ok thanks jaeger

04:49 <cruxbridge> <emmett1> btw any plan on completely remove *la files in the future?

05:13 <cruxbridge> <jloc0> One of my xfce4 packages deps on a la file not present in a xorg package and fails since it don’t exist on the system, id say completely removing la files is premature at best. I’ve found most of xfce expects them to exist (I don’t recall which xorg package it is and I’m away from my machine)

05:14 <cruxbridge> <jloc0> Just commenting on “complete removal”

06:19 <cruxbridge> <emmett1> thats because half of your packages is provided *.la files

06:20 <cruxbridge> <emmett1> i've been using CRUX before without *.la files completely by exclude it in /etc/pkgadd.conf, and never encounter libtool error even once

06:21 <cruxbridge> <emmett1> and as far as i know, CRUX the only distro that still keep *.la files

06:23 <cruxbridge> <emmett1> Venom Linux started around 2016 (something around that year) been rolling without *.la files, never encounter libtool error once

06:23 <cruxbridge> <emmett1> and only ImageMagick required its *.la files

09:26 <cruxbot> [xorg/3.7]: xorg-libxt: rebuilt for util-linux 2.40

09:26 <cruxbot> [xorg/3.7]: xorg-libsm: rebuilt for util-linux 2.40

09:33 <cruxbot> [opt/3.7]: iwd: updated to version 2.17

13:19 <cruxbot> [opt/3.7]: prt-utils: updated URL

14:42 <cruxbot> [opt/3.7]: thunderbird-bin: updated to version 115.9.0

14:44 <cruxbot> [contrib/3.7]: vte3: updated to version 0.76.0; new dependency: lz4

14:44 <cruxbot> [contrib/3.7]: python3-referencing: updated to version 0.34.0

14:44 <cruxbot> [contrib/3.7]: python3-importlib_metadata: updated to version 7.1.0

15:27 <cruxbot> [core/3.7]: coreutils: updated to version 9.5

15:49 <cruxbot> [xorg/3.7]: xorg-libpciaccess: updated to version 0.18.1

18:04 <frinnst> heh wallop even. cool shit

18:05 <frinnst> in case anyone filters those: https://www.openwall.com/lists/oss-security/2024/03/29/4 - crux should be veeeery affected i assume

18:05 <tilman> i was about to check if it is

18:06 <tilman> and yes, scariest shit in a long while

18:07 <frinnst> just finished off true detective and started to read some emails :D

18:12 <frinnst> guy commits to libarchive as well

18:14 <frinnst> or is it only for debian-basaed systems? if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then

18:15 <frinnst> "openssh does not directly use liblzma. However debian and several other

18:15 <frinnst> distributions patch openssh to support systemd notification, and libsystemd

18:15 <frinnst> does depend on lzma."

18:15 <frinnst> guess it won't affect crux

18:21 <tilman> imagine you're xz's original author and find out about this :'(

18:28 <tilman> frinnst: the HN thread links https://github.com/libarchive/libarchive/pull/1609 among others

18:59 <tilman> https://news.ycombinator.com/item?id=39866275 sounds like redhat knew about about the ifunc thing being used as a backdoor?

21:47 <remiliascarlet> Affected versions happen to be 5.6.0 and 5.6.1, but all my FreeBSD, OpenBSD, PostmarketOS, and Debian/Devuan boxes report they run 5.4.x. Only 1 Void Linux box had 5.6.1, and a simple `xbps-install -Su` made it downgrade back to 5.4. This effectively makes CRUX the only one with the backdoored version in it.

21:48 <cruxbridge> <tim> i have to ask: do you ever stop and think for a second before you post on irc?

21:50 <remiliascarlet> I have no idea what your problem is, you seem pretty miserable every time I saw anything at all as of late.

21:50 <joacim> i've been lazy, and still use 5.4.x on my crux install

21:50 <remiliascarlet> s/saw/say

21:51 <remiliascarlet> Downgraded xz on CRUX now.

21:51 <joacim> my tumbleweed system is on 5.6.1 tho

21:52 <jaeger> From what I can see crux isn't really vulnerable (no systemd linked with xz/lzma, no ssh linked against systemd linked against xz/lzma, no successful check for debian/redhat derivatives in configure), for what that's worth... but it's still a scary supply chain issue either way

21:53 <joacim> actually, i've been lazy with my tumbleweed system too. so i'll lock the package, or just not upgrade until this is fixed

21:54 <cruxbridge> <tim> i agree with jaeger, until the supply chain issue is not resolved I have no idea what else there is to do.

21:55 <joacim> what is the bridge bridging from?

21:55 <remiliascarlet> I know it only affects shitstaind distro's, but I still downgraded it just in case it turns out it affects other init systems as well.

21:56 <cruxbridge> <tim> joacim: matrix

22:21 <remiliascarlet> Looking at Linux IRC channels, and they say it affects systemd distro's only.

22:21 <remiliascarlet> Looking at BSD IRC channels, and they say it affects all glibc distro's.

22:23 <joacim> i guess it affects everything that links to it

22:27 <ukky> my system still uses 5.4.5. That's the case when being too busy is good