36
How the xz backdoor highlights a major flaw in Nix | Shade's Blog (shadeyg56.vercel.app)
submitted 5 months ago by starman@programming.dev to c/nix@programming.dev
11 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] starman@programming.dev 5 points 5 months ago* (last edited 5 months ago)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[-] danmac@aus.social 7 points 5 months ago

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[-] onlinepersona@programming.dev 3 points 5 months ago

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingyCC BY-NC-SA 4.0

[-] lambda@programming.dev 2 points 5 months ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[-] pbsds@lemmy.ml 4 points 5 months ago

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[-] Atemu@lemmy.ml 2 points 5 months ago* (last edited 5 months ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.

[-] GarlicToast@programming.dev 4 points 5 months ago

NixOS is aimed at highly technical people. You literally code your system structure.

this post was submitted on 03 Apr 2024
36 points (89.1% liked)

Nix / NixOS

1465 readers
1 users here now

Main links

Videos

founded 1 year ago
MODERATORS
erlingur@programming.dev
ballmerpeaking@programming.dev
WhiteBlackGoose@programming.dev