top | item 39872036

(no title)

Also no. It was rolled back hours ago, and cache.nixos.org keeps all past builds so it didn't even need rebuilding.

Orthogonal to that, the backdoor was irrelevant to nix in at least three different ways: the malicious build logic targeted rpm/deb build environments and so didn't trigger in nix's build sandbox, the backdoor code makes assumptions about filesystem layout that are invalid on nixos and so wouldn't have activated anyway, and nix doesn't include the downstream patch that results in the backdoor even getting into sshd's address space. Still got rolled back out of an abundance of caution, but nix got lucky that the attacker didn't bother targeting it the way they did debian and rpm-based distros.

discuss

Timshel|1 year ago

The issue is that the author had been contributing for 2 years.

Debian is considering reverting prior to his involment or switching, cf: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

seba_dos1|1 year ago

They do that out of caution, not because that's what needs to be done. No reason to panic if your distro doesn't go as far.