• starman@programming.devOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      8 months ago

      That’s true, but you have to know there was a backdoor first. If someone doesn’t know, and they use the latest version, they’re vulnerable to attack

      • pbsds
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

        • Atemu
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 months ago

          That’s a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You’d trade one CVE for dozens of others.

    • Atemu
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      That works for leaf packages but not for core node packages. Every package depends on xz in some way; it’s in the stdenv aswell as bootstrap.

      • GarlicToast@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.

        • Atemu
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          Those packages themselves depend on xz. Pretty much all of them.

          What you’re suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That’s actually the only currently known attack vector; inject malicious code into SSHD via liblzma.