40
How the xz backdoor highlights a major flaw in Nix | Shade's Blog (shadeyg56.vercel.app)
submitted 1 year ago by starman@programming.dev to c/nix@programming.dev
8 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] starman@programming.dev 6 points 1 year ago* (last edited 1 year ago)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[-] danmac@aus.social 9 points 1 year ago

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[-] onlinepersona@programming.dev 4 points 1 year ago

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingyCC BY-NC-SA 4.0

[-] lambda@programming.dev 2 points 1 year ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[-] pbsds@lemmy.ml 4 points 1 year ago

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[-] Atemu@lemmy.ml 2 points 1 year ago* (last edited 1 year ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.

this post was submitted on 03 Apr 2024
40 points (100.0% liked)

Nix / NixOS

2192 readers
2 users here now

Main links

Videos

founded 2 years ago
MODERATORS
erlingur@programming.dev
ballmerpeaking@programming.dev
WhiteBlackGoose@programming.dev