It’s possible, but at the very least someone glances over the derivation since it’s part of the actual nixpkgs repo right? AUR on the other hand is a wild west.
Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a “patch update”, updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.
I don’t see how it would happen. Nix is immune bc hashes are constantly checked, you can’t swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don’t expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster
The AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.
That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.
New packages are harder to pass, but it could also work.
As a nix user, I wouldn’t laugh. We are vulnerable to this type of attack as well.
Heck, it’s surprising we aren’t full of malware considering how many packages there are, and an easy supply chain attack vector with auto RyanTM PRs.
It’s possible, but at the very least someone glances over the derivation since it’s part of the actual nixpkgs repo right? AUR on the other hand is a wild west.
Yes, on one hand every commit to nixpkgs needs review (to some degree) on the other hand there are far too many committers to nixpkgs.
There are also gaps such as the bots to auto-merge packages with maintainer approval, so a simple attack looks like this:
So nixpkgs is better than the AUR, but it isn’t great and unlike Arch has no separate official repos.
Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a “patch update”, updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.
No, it would actually be quite easy to spot.
Nixpkgs templates the source code url fro the url, and then it injects a variable
Here is an example from bash:
pname = "bash${lib.optionalString interactive "-interactive"}"; version = "5.3${fa.patch_suffix}"; patch_suffix = "p${toString (builtins.length upstreamPatches)}"; src = fetchurl { url = "mirror://gnu/bash/bash-$%7Blib.removeSuffix fa.patch_suffix fa.version}.tar.gz"; hash = "sha256-DVzYaWX4aaJs9k9Lcb57lvkKO6iz104n6OnZ1VUPMbo="; };If the url were to be changed, it would show up as a change in git when someone is reviewing before merging.
I don’t see how it would happen. Nix is immune bc hashes are constantly checked, you can’t swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don’t expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster
It’s 2005 and “you can’t get viruses on
MacNix” advertising is playing all over againThe AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.
That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.
New packages are harder to pass, but it could also work.
Yea. especially if you use flakes heavily. It’s so decentralized it could take longer to catch.