7 mo. ago • 88%

How the xz backdoor highlights a major flaw in Nix | Shade's Blog

shadeyg56.vercel.app How the xz backdoor highlights a major flaw in Nix | Shade's Blog

Background On Friday, March 29th, 2024, a historical and sophisticated security vulnerability (CVE-2024-3094) was discovered in the XZ Utils package and liblzma api in version 5.6.0 and 5.6.1. While this vulnerability mostly affects Debian and RedHat distributions, there was some interesting discuss...

Linux @lemmy.ml How the xz backdoor highlights a major flaw in Nix

11 comments

Nix lets you go back, and you and even mix channels. Pulling one package from a different version.

6
- That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack
  
  5
  
  @starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.
  
  7
  
  NixOS is aimed at highly technical people. You literally code your system structure.
  
  4
  
  If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade
  
  4
- That works for leaf packages but not for core node packages. Every package depends on xz in some way; it's in the stdenv aswell as bootstrap.
  
  1
  
  You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.
  
  1

You've viewed 11 comments.