It’s possible, but at the very least someone glances over the derivation since it’s part of the actual nixpkgs repo right? AUR on the other hand is a wild west.
Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a “patch update”, updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.
It’s possible, but at the very least someone glances over the derivation since it’s part of the actual nixpkgs repo right? AUR on the other hand is a wild west.
Yes, on one hand every commit to nixpkgs needs review (to some degree) on the other hand there are far too many committers to nixpkgs.
There are also gaps such as the bots to auto-merge packages with maintainer approval, so a simple attack looks like this:
So nixpkgs is better than the AUR, but it isn’t great and unlike Arch has no separate official repos.
Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a “patch update”, updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.
No, it would actually be quite easy to spot.
Nixpkgs templates the source code url fro the url, and then it injects a variable
Here is an example from bash:
pname = "bash${lib.optionalString interactive "-interactive"}"; version = "5.3${fa.patch_suffix}"; patch_suffix = "p${toString (builtins.length upstreamPatches)}"; src = fetchurl { url = "mirror://gnu/bash/bash-$%7Blib.removeSuffix fa.patch_suffix fa.version}.tar.gz"; hash = "sha256-DVzYaWX4aaJs9k9Lcb57lvkKO6iz104n6OnZ1VUPMbo="; };If the url were to be changed, it would show up as a change in git when someone is reviewing before merging.