Techly NewsGet the app

Get the latest tech news

NixOS and reproducible builds could have detected the xz backdoor


Julien Malka homepage

This event deeply stunned the open source community as the attack was both of massive impact(it allowed remote code execution on all affected machines that had ssh installed) and extremely difficult to detect. In fact, it was only thanks to the diligence (and maybe luck) of Andres Freund – a Postgres developer working at Microsoft – that the catastrophe was avoided: while investigating a seemingly unrelated 500ms performance regression in ssh that he was experiencing on several Debian unstable machines, he was able to trace it back to the liblzma library, identify the backdoor and document it. I removed details here to focus on the most important: the Nix expression is very similar to the actual derivation for xz, the only difference (apart from the method to fetch the source) is that we need to use autoconf to generate configure scripts.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of xz backdoor

xz backdoor

Photo of reproducible builds

reproducible builds

Photo of NixOS

NixOS

Related news:

News photo

openSUSE Spin Achieves 100% Bit-Identical Packages For Reproducible Builds

News photo

Is NixOS truly reproducible?

News photo

NixOS and Portable Executables

« The open-source AI debate: Why selective transparency poses a serious risk
Making the Arithmometer Count »