tjh.dev
commits
(cherry picked from commit 5362d7b46f750b499e06388ac32b7cddf975de88)
- https://curl.se/docs/CVE-2025-4947.html
- https://www.openwall.com/lists/oss-security/2025/05/28/4
- https://curl.se/docs/CVE-2025-5025.html
- https://www.openwall.com/lists/oss-security/2025/05/28/5
Co-authored-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 21db980e6f6bb129fd973cb247702e6d1ecdf279)
Changelog: https://github.com/sxyazi/yazi/releases/tag/v25.5.28
Diff: https://github.com/sxyazi/yazi/compare/v25.4.8...v25.5.28
(cherry picked from commit 978c04ed74800486689b68d6e9d4399308519966)
Otherwise the package set will be the same as that of the overriden
interpreter.
(cherry picked from commit f83e7a305fbb57780ca2d81d7c1a29063125ae70)
Diff: https://gitlab.freedesktop.org/mesa/mesa/-/compare/mesa-25.0.6...mesa-25.0.7
Changelog: https://docs.mesa3d.org/relnotes/25.0.7.html
(cherry picked from commit 0269995815f734088a9d547701fa1e3aafd1d256)
(cherry picked from commit 7e1927f3a1eed52573eac93b93d2c66b4090ce4c)
The config-file key is 'server-unix-socket-mode', not 'service-unix-socket-mode'.
(cherry picked from commit b134f3148fb2b457f547842f173e34767d4d969f)
Running `mediagoblin-gmg reprocess initial` before would fail with
missing GST_PLUGIN_PATH and tools in PATH.
(cherry picked from commit 81d2a488e6f8a4f9cfb99c7fc261afdf5f77da32)
Before the argument to mediagoblin-gmg would be passed to the actual command
and the rest to sh which is obviously nonsense.
(cherry picked from commit dd63ca898e0d0a3780a830a71242b29d7c7baea9)
(cherry picked from commit bdce3dcf61ce9b1b0cd24b1964d87ba33cb6c80c)
When cherry-picking without -x or not cherry-picking at all, the
check-cherry-picks job would usually remain green. This is annoying to
deal with for reviewers, because "all green" still needs attention -
have all commits been cherry-picked properly?
If a commit was not cherry-picked correctly, either without -x or not at
all, because it's a genuine commit to begin with, the reviewers
attention is required anyway. Thus we can also let the job fail in this
case.
(cherry picked from commit dfaefc053531399e9359f4d41054be4f7b597e45)
This makes the job significantly faster when the commit can't be found
on master or staging directly. Before this change, the script would have
had to iterate through 20+ release branches before finding the latest
one. With lazy fetching for git enabled, this would take a few minutes.
(cherry picked from commit a9b718b79640e9c0ad4366391654fd4138248187)
Those are protected branches, which can't be force pushed to - so the
commits will remain. Thus, we can also backport from them.
(cherry picked from commit ea636d1728f25328511401c4919eec96e7426de0)
Using a `tree:0` filter instead of `blob:none` reduces the checkout time
from over 3 minutes to about 45 seconds. The required trees/blobs will
then be fetched on-demand.
This on-demand fetching creates additional output for `git range-diff`
on stderr, so we hide that. This only happens the first time it's run,
so we don't need to adjust the other calls - which will still return any
real errors, should they happen.
(cherry picked from commit e575364ae613c5e208862350c48a60e6234b3086)
In a small terminal window this would just stop running after each
commit until you exit the pager. That's not what we want when running it
locally.
(cherry picked from commit 245b1c1c4859d4e5636dd2d3bccb3e4d3c44558e)
The default is to checkout a contributors fork as "origin", thus the
NixOS/nixpkgs remote is most likely named differently. But not everybody
keeps their fork's main branches up-to-date all the time. Thus the
script would fail locally.
(cherry picked from commit 2fea2bbf527ec30a62892f146d1a42305f7aa8f8)
(cherry picked from commit 6cf5f9e83bad75cb431661e35c7e15afe1fdc1e9)
We recently moved the $commits variable out of a "subshell in a
herestring", let's do the same for the list of branches, where errors
would be silently swallowed as well.
Also reformat the expressions slightly, we have enough line-length.
(cherry picked from commit e2a37921691a3c0131114795d4b756aa7bd5d4a4)
The script is part of CI and changes to it should be reviewed by the CI
owners. Thus moving it to ci/ is the most sensible thing to do.
(cherry picked from commit ad4b36d2d23e01c9c7303f4c9c6e1270a93dfe7f)
We really can't expect packages that are marked as broken to evaluate,
and *especially* not on unsupported platforms.
For context, we were attempting to eval them *past* the broken throw
previously, which caused fun side effects like [0].
When we set `includeBroken = true` before, this also included unfree
packages. Those would now be excluded, which is not what we want. Thus,
we explicitly enable them separately.
Commit by winterqt, message slightly reworded by wolfgangwalther.
[0]:
https://github.com/NixOS/nixpkgs/issues/355847#issuecomment-2878873137
(cherry picked from commit 5240bdf3c63d7516f2bb74cd5e099f993a88ab89)
Changelog: https://gitlab.nic.cz/labs/bird/-/blob/v3.1.2/NEWS
(cherry picked from commit 66c3fb9d01bd029a253995765864aad87dd80519)
To my understanding it's current best practice to fetch from
a project's git repo and not use tarballs to avoid situations
where the tarball isn't as expected.
Since this change seems to be trivial for bird i've implemented it here.
(cherry picked from commit 1c2e5e194f786095373bc6667cf90fb419d89e11)
(cherry picked from commit 99c53376ed0273ef8200f3c27157b4199e9e38e9)
(cherry picked from commit 0e11c494801f43cc09cb7c557cf7b2fcf8112e13)
Chnagelog: https://github.com/mikf/gallery-dl/releases/tag/v1.29.7
Diff: https://github.com/mikf/gallery-dl/compare/v1.29.6...v1.29.7
(cherry picked from commit 4a3054643c136123715e0214031e2a7e610ec818)
(cherry picked from commit 3371e0d6df311e0c9d9c962b605800d3251a1bb8)
(cherry picked from commit 277a3f207d7403b25639db9e3f8f1154769f2b31)
(cherry picked from commit 3811110f9958c1ca6725dee86e1dad51ab095172)
(cherry picked from commit 3ae75c4bab39831a1829ac3aad53199f3e9037a8)
(cherry picked from commit 65f536eb58d4743e7468185beaa0bb2e32a81ad3)
(cherry picked from commit 506a5143544a4e109f867b72b6fbe39b1eadd926)
(cherry picked from commit 495451554fc9e53e47dc86ece5f6e5c4736566b2)
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html
This update includes 11 security fixes.
CVEs:
CVE-2025-5063 CVE-2025-5280 CVE-2025-5064 CVE-2025-5065 CVE-2025-5066
CVE-2025-5281 CVE-2025-5283 CVE-2025-5067
(cherry picked from commit 8d399f35cc57dfbfc09658fe7fdd284a0fd34dbc)
(cherry picked from commit 5362d7b46f750b499e06388ac32b7cddf975de88)
- https://curl.se/docs/CVE-2025-4947.html
- https://www.openwall.com/lists/oss-security/2025/05/28/4
- https://curl.se/docs/CVE-2025-5025.html
- https://www.openwall.com/lists/oss-security/2025/05/28/5
Co-authored-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 21db980e6f6bb129fd973cb247702e6d1ecdf279)
When cherry-picking without -x or not cherry-picking at all, the
check-cherry-picks job would usually remain green. This is annoying to
deal with for reviewers, because "all green" still needs attention -
have all commits been cherry-picked properly?
If a commit was not cherry-picked correctly, either without -x or not at
all, because it's a genuine commit to begin with, the reviewers
attention is required anyway. Thus we can also let the job fail in this
case.
(cherry picked from commit dfaefc053531399e9359f4d41054be4f7b597e45)
This makes the job significantly faster when the commit can't be found
on master or staging directly. Before this change, the script would have
had to iterate through 20+ release branches before finding the latest
one. With lazy fetching for git enabled, this would take a few minutes.
(cherry picked from commit a9b718b79640e9c0ad4366391654fd4138248187)
Using a `tree:0` filter instead of `blob:none` reduces the checkout time
from over 3 minutes to about 45 seconds. The required trees/blobs will
then be fetched on-demand.
This on-demand fetching creates additional output for `git range-diff`
on stderr, so we hide that. This only happens the first time it's run,
so we don't need to adjust the other calls - which will still return any
real errors, should they happen.
(cherry picked from commit e575364ae613c5e208862350c48a60e6234b3086)
The default is to checkout a contributors fork as "origin", thus the
NixOS/nixpkgs remote is most likely named differently. But not everybody
keeps their fork's main branches up-to-date all the time. Thus the
script would fail locally.
(cherry picked from commit 2fea2bbf527ec30a62892f146d1a42305f7aa8f8)
We recently moved the $commits variable out of a "subshell in a
herestring", let's do the same for the list of branches, where errors
would be silently swallowed as well.
Also reformat the expressions slightly, we have enough line-length.
(cherry picked from commit e2a37921691a3c0131114795d4b756aa7bd5d4a4)
We really can't expect packages that are marked as broken to evaluate,
and *especially* not on unsupported platforms.
For context, we were attempting to eval them *past* the broken throw
previously, which caused fun side effects like [0].
When we set `includeBroken = true` before, this also included unfree
packages. Those would now be excluded, which is not what we want. Thus,
we explicitly enable them separately.
Commit by winterqt, message slightly reworded by wolfgangwalther.
[0]:
https://github.com/NixOS/nixpkgs/issues/355847#issuecomment-2878873137
(cherry picked from commit 5240bdf3c63d7516f2bb74cd5e099f993a88ab89)
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html
This update includes 11 security fixes.
CVEs:
CVE-2025-5063 CVE-2025-5280 CVE-2025-5064 CVE-2025-5065 CVE-2025-5066
CVE-2025-5281 CVE-2025-5283 CVE-2025-5067
(cherry picked from commit 8d399f35cc57dfbfc09658fe7fdd284a0fd34dbc)