I don’t see how it would happen. Nix is immune bc hashes are constantly checked, you can’t swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don’t expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster
The AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.
That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.
New packages are harder to pass, but it could also work.
I don’t see how it would happen. Nix is immune bc hashes are constantly checked, you can’t swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don’t expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster
It’s 2005 and “you can’t get viruses on
MacNix” advertising is playing all over againThe AUR attack attacked the build files. On nix, you could easily set a new download url for the package, set the new hash, and claim the project has moved to a new repo/site.
That would require a second person to vet on it, but it could be seen as normal for a maintainer not in the know about the project.
New packages are harder to pass, but it could also work.