this post was submitted on 03 Apr 2024
36 points (90.9% liked)

Nix / NixOS

1758 readers
60 users here now

Main links

Videos

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 7 months ago* (last edited 7 months ago) (3 children)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[–] [email protected] 7 points 7 months ago (1 children)

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[–] [email protected] 3 points 7 months ago (1 children)

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] [email protected] 2 points 7 months ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[–] [email protected] 4 points 7 months ago

NixOS is aimed at highly technical people. You literally code your system structure.

[–] [email protected] 4 points 7 months ago (1 children)

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.