240
nixpkgs > aur (programming.dev)
submitted 1 day ago by danhab99@programming.dev to c/linuxmemes@lemmy.world
30 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/52191489

you are viewing a single comment's thread
view the rest of the comments
[-] RustyNova@lemmy.world 148 points 1 day ago

As a nix user, I wouldn't laugh. We are vulnerable to this type of attack as well.

Heck, it's surprising we aren't full of malware considering how many packages there are, and an easy supply chain attack vector with auto RyanTM PRs.

[-] Kronusdark@lemmy.world 31 points 1 day ago

Yea. especially if you use flakes heavily. Itโ€™s so decentralized it could take longer to catch.

[-] juipeltje@lemmy.world 13 points 1 day ago

It's possible, but at the very least someone glances over the derivation since it's part of the actual nixpkgs repo right? AUR on the other hand is a wild west.

[-] basxto@discuss.tchncs.de 3 points 12 hours ago

is a wild west.

I prefer to call it anarchy

[-] kevincox@lemmy.ml 6 points 21 hours ago

Yes, on one hand every commit to nixpkgs needs review (to some degree) on the other hand there are far too many committers to nixpkgs.

There are also gaps such as the bots to auto-merge packages with maintainer approval, so a simple attack looks like this:

  1. Submit a package with you as a maintainer.
  2. Create a new GitHub account and send a malicious update to that package.
  3. Use a bot to merge with maintainer approval.

So nixpkgs is better than the AUR, but it isn't great and unlike Arch has no separate official repos.

[-] RustyNova@lemmy.world 14 points 1 day ago

Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a "patch update", updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.

[-] moonpiedumplings@programming.dev 12 points 1 day ago

No, it would actually be quite easy to spot.

Nixpkgs templates the source code url fro the url, and then it injects a variable

Here is an example from bash:

pname = "bash${lib.optionalString interactive "-interactive"}";
    version = "5.3${fa.patch_suffix}";
    patch_suffix = "p${toString (builtins.length upstreamPatches)}";

    src = fetchurl {
      url = "mirror://gnu/bash/bash-$%7Blib.removeSuffix fa.patch_suffix fa.version}.tar.gz";
      hash = "sha256-DVzYaWX4aaJs9k9Lcb57lvkKO6iz104n6OnZ1VUPMbo=";
    };

If the url were to be changed, it would show up as a change in git when someone is reviewing before merging.

[-] danhab99@programming.dev 2 points 1 day ago

I don't see how it would happen. Nix is immune bc hashes are constantly checked, you can't swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don't expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster

[-] RustyNova@lemmy.world 23 points 1 day ago

The AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.

That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.

New packages are harder to pass, but it could also work.

[-] wreckedcarzz@lemmy.world 12 points 1 day ago

It's 2005 and "you can't get viruses on ~~Mac~~ Nix" advertising is playing all over again

this post was submitted on 18 Jun 2026
240 points (100.0% liked)

linuxmemes

31797 readers
616 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. ๐Ÿ‡ฌ๐Ÿ‡ง Language/ัะทั‹ะบ/Sprache
  • This is primarily an English-speaking community. ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ‡บ๐Ÿ‡ธ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
    • ย 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
    poopsmith@lemmy.world
    zephyr@lemmy.world
    rtxn@lemmy.world