this post was submitted on 03 Apr 2024
35 points (88.9% liked)

Nix / NixOS

1768 readers
2 users here now

Main links

Videos

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] starman@programming.dev 5 points 7 months ago* (last edited 7 months ago) (3 children)

That's true, but you have to know there was a backdoor first. If someone doesn't know, and they use the latest version, they're vulnerable to attack

[–] danmac@aus.social 7 points 7 months ago (1 children)

@starman @GarlicToast true but I don't think you can use nix and not know about the xz exploit within minutes of it being found out.

[–] onlinepersona@programming.dev 3 points 7 months ago (1 children)

Do you have an RSS feed of CVEs impacting Nixos?

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] lambda@programming.dev 2 points 7 months ago

I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

[–] pbsds@lemmy.ml 4 points 7 months ago (1 children)

If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

[–] Atemu@lemmy.ml 2 points 7 months ago* (last edited 7 months ago)

That's a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You'd trade one CVE for dozens of others.

[–] GarlicToast@programming.dev 4 points 7 months ago

NixOS is aimed at highly technical people. You literally code your system structure.