Nixpkgs: Vulnerability roundup 84: zip-3.0: 1 advisory

See also: #57192

And see also: #70134 :) I guess the whitelisting didn't stick?

@ckauhaus @puzzlewolf We've been at this point with other CVEs. Should we introduce a meta.securityWhitelist = [ "CVE-2018-13410" ]? This would also help with proper documentation of the reasons for whitelisting.

@wamserma @ckauhaus I think something like that would be a good idea. It would also make this process more transparent.

I guess this should be discussed in a more visible place, maybe https://discourse.nixos.org/t/vulnerability-roundups-are-back/7291?

It's weird, the whole vulnerability roundup doesn't seem to get talked about a lot, and most issues have not had any action since a week :thinking:. Well, a week isn't really a long time.

@wamserma @puzzlewolf Yes, will discuss the thing about permanent whitelists in Discourse. I think we should try to filter as much noise as possible so that the remaining roundup issues are actionable.

@ckauhaus Fine with we, just ensure the Discourse-Thread is linked here/and or in a new GitHub-issue.
I think this is not only about reducing noise but also about documentation and traceability of issues added to the whitelists. Keeping this as close to the actual package definitions is important imho and is also the way Yocto does this, see their presentation, slide 69 onward. This presentation also mentions their use of SRTool for keeping track of CVEs, while Debian and Ubuntu use a Git based approach and Arch has a homegrown solution. Nixos definitely needs something like https://security.nixos.org - but that discussion needs to be done on Discourse followed by an RFC.

still on it ;)