Nix / NixOS @programming.dev starman @programming.dev 3 mo. ago

How the xz backdoor highlights a major flaw in Nix | Shade's Blog

shadeyg56.vercel.app How the xz backdoor highlights a major flaw in Nix | Shade's Blog

Background On Friday, March 29th, 2024, a historical and sophisticated security vulnerability (CVE-2024-3094) was discovered in the XZ Utils package and liblzma api in version 5.6.0 and 5.6.1. While this vulnerability mostly affects Debian and RedHat distributions, there was some interesting discuss...

Linux @lemmy.ml d3Xt3r @lemmy.nz 3 mo. ago

How the xz backdoor highlights a major flaw in Nix

shadeyg56.vercel.app /posts/nixos/xz-backdoor/

11 comments

Nix lets you go back, and you and even mix channels. Pulling one package from a different version.
- That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack
  
  @starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.
  
  If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade
  
  NixOS is aimed at highly technical people. You literally code your system structure.
- That works for leaf packages but not for core node packages. Every package depends on xz in some way; it's in the stdenv aswell as bootstrap.
  
  You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.

You've viewed 11 comments.