this post was submitted on 03 Apr 2024
34 points (88.6% liked)

Nix / NixOS

1765 readers
5 users here now

Main links

Videos

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 7 months ago (2 children)

Nix lets you go back, and you and even mix channels. Pulling one package from a different version.

[–] [email protected] 5 points 7 months ago* (last edited 7 months ago) (3 children)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[–] [email protected] 7 points 7 months ago (1 children)

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[–] [email protected] 3 points 7 months ago (1 children)

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] [email protected] 2 points 7 months ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[–] [email protected] 4 points 7 months ago (1 children)

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.

[–] [email protected] 4 points 7 months ago

NixOS is aimed at highly technical people. You literally code your system structure.

[–] [email protected] 1 points 7 months ago (1 children)

That works for leaf packages but not for core node packages. Every package depends on xz in some way; it's in the stdenv aswell as bootstrap.

[–] [email protected] 1 points 7 months ago (1 children)

You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.

[–] [email protected] 1 points 7 months ago

Those packages themselves depend on xz. Pretty much all of them.

What you're suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That's actually the only currently known attack vector; inject malicious code into SSHD via liblzma.