• mvirts@lemmy.world
    link
    fedilink
    arrow-up
    36
    ·
    8 months ago

    Lol we can be smug until someone sneaks a backdoor into nixpkgs for a while. For user envs updating the system doesnt mean the compromise is gone, although checking would be super easy.

  • unhinge@programming.dev
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    I wouldn’t be so sure it doesn’t affect NixOS[1].

    I am not a security researcher, nor a reverse engineer. There’s lots of stuff I have not analyzed and most of what I observed is purely from observation rather than exhaustively analyzing the backdoor code.

    Also, it may take 10 days to downgrade the package[2].


    1. 1 ↩︎

    2. 2 ↩︎

    • fl42v@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      Yea, but the move to verify the path seemed somewhat funny at the time. As for the second part - it’s a shame, but expected: they need to re-compile like everything. So, I just decided to wait since all my machines are ssh-ible from VPN only