Nix / NixOS

1465 readers

49 users here now

Main links

Videos

founded 1 year ago

MODERATORS

[email protected]

How the xz backdoor highlights a major flaw in Nix | Shade's Blog (shadeyg56.vercel.app)

submitted 5 months ago by [email protected] to c/[email protected]

11 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago) (3 children)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[–] [email protected] 7 points 5 months ago (1 children)

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[–] [email protected] 3 points 5 months ago (1 children)

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingy

CC BY-NC-SA 4.0

[–] [email protected] 2 points 5 months ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[–] [email protected] 4 points 5 months ago

NixOS is aimed at highly technical people. You literally code your system structure.

[–] [email protected] 4 points 5 months ago (1 children)

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.