top | item 39904010

(no title)

shp0ngle | 1 year ago

Does Nix/Guix solve this?

I have been skeptical of "rewrite everything into rust", but... maybe we should at least rewrite everything into Nix?

discuss

No. Nix pulls in tarballs/sources like any other package build system.

1una|1 year ago

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

api|1 year ago

Computers have to run software that has to come from somewhere.

I’ve been expecting a supply chain apocalypse for some time now given that the Internet has become a dark forest.

rolandog|1 year ago

Guix does provide a guix challenge command to verify that the binaries correspond to the source code [0].

[0] https://guix.gnu.org/manual/en/html_node/Invoking-guix-chall...

3836293648|1 year ago

No. It makes sure its inputs are unchanged, but you can still do anything impure within a buildscript called by nix.

It would fix the tarball differing from upstream, but it would still allow the patch to be applied during build

tomthehero|1 year ago

Please don't. Nix UX sucks big time. I don't know about Guix, but I'm pretty darn sure that anything else must be better than Nix cuz Nix is the rock bottom.

forgotpwd16|1 year ago

Nix UX may suck (doesn't for me although can have some improvements) but Nix as concept/system is still good.

blueflow|1 year ago

Please elaborate. If i have more substantial facts about it then i might be more successful in convincing my CTO that its a bad idea.

stusmall|1 year ago

Nix might even make it worse. xz made it into unstable and it is part of stdenv. This means almost every package needs to be rebuilt which takes forever and limits the speed in which it can be reverted. They still have 5.6.1 in unstable and, to be honest, I'm not sure why. I don't know if they are still waiting for CI to chew through the tens of thousands package rebuild or there is something else.

pxc|1 year ago

Afaict they are in fact waiting for CI to do the big rebuild on staging, in part because the Nixpkgs builds of 5.6.x never pulled down the malicious m4 scripts that inject the backdoor into the output binary (as they never used the release tarball directly from upstream but built from GitHub sources).

See: https://github.com/NixOS/nixpkgs/issues/300055

and: https://github.com/NixOS/nixpkgs/pull/300028

It's also worth noting that Guix is different here, as the grafts mechanism is well-established, so they can get a security patch in for xz without waiting for the mass rebuild, even if it's also in their stdenv or equivalent.

pabs3|1 year ago

Rust has the same problem as autotools, crates can be plain git archives but often contain things not in git and miss things that are in git.