top | item 39871985

(no title)

It's not a problem, never has been. Nix mirrors all source bundles it pulls from third parties and caches them. cache.nixos.org has a copy of all the sources needed to build not just current HEAD, but also past commits (although deep history might start getting pruned for cost control soon, iiuc).

The Software Heritage archive also has an up to date mirror of xz's repo: https://archive.softwareheritage.org/browse/origin/directory...

discuss

ndriscoll|1 year ago

Are they storing source archives for each version? I'd think mirroring the actual repo might take less space than a bunch of copies of source archives.

Though it looks like git only uses deflate on pack files. Someone should write a patch to add lzma support. :-)

dwattttt|1 year ago

In this instance then, it sounds like it has cached the source with a backdoor in it, and anyone using it is potentially exposing themselves to a very public problem right now.

dave_universetf|1 year ago

Also no. It was rolled back hours ago, and cache.nixos.org keeps all past builds so it didn't even need rebuilding.

Orthogonal to that, the backdoor was irrelevant to nix in at least three different ways: the malicious build logic targeted rpm/deb build environments and so didn't trigger in nix's build sandbox, the backdoor code makes assumptions about filesystem layout that are invalid on nixos and so wouldn't have activated anyway, and nix doesn't include the downstream patch that results in the backdoor even getting into sshd's address space. Still got rolled back out of an abundance of caution, but nix got lucky that the attacker didn't bother targeting it the way they did debian and rpm-based distros.