The next tuesday, at 2025-08-12T10:00:00Z, the Hydra team will disclose security vulnerabilities.
This disclosure has been communicated to the Infra team and they will handle https://hydra.nixos.org accordingly.
Since some unrelated changes landed the last couple of weeks, I recommend the Nixpkgs Hydra maintainers to update to the latest published version so the actual security update is as small as possible. This update would include these potentially breaking changes:
The mitigations for the vulnerabilities include various changes of note:
Additional verification of some data which could break existing setups
Now required configuration to use some optional features where no configuration was previously necessary
A huge code change to prevent similar issues in the future with great potential for slight oversights. While nothing was found during testing, please open issues in the Hydra repository when finding one of them
If you also happen to find security issues in Hydra, please be sure to contact the security team which will handle the report.
Special thanks go out to @msanft for reporting the vulnerabilties and @hexa for coordination with Infra and Security teams and @Mic92 for fixing one of the vulnerabilities.
Thanks Sandro for picking this up so quickly. I hope to give it some light testing tomorrow or the day after but I at least reviewed upstream diffs as well as I could and those all look good to me. Only thing I donβt know for sure is the machine info UI which seems tailored to the new queue runner.
