xz
It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...
xz, gloating
@syn Yes, though arguably an accidental one, sort of - it's not really what the dependency system was *designed* for afaik, just a consequence of the design choices
xz, gloating
@syn (It's kind of hard to classify these things because Nix is in a category of software where "benefits we didn't anticipate" are expected as a category, it's just not known which benefits they will be)
xz, gloating
@joepie91 I'd argue that "exact input tracking" is very much an explicit design goal
xz, gloating
@syn Yes, but not for the specific purpose of knowing what packages to rebuild if a backdoor were ever discovered
xz
@joepie91 that's only for stuff that's it statically linked with tho, since all of it is just in the .so?
xz
@eater xz is a part of *the build process itself* in many cases - extracting source archives, that sort of thing. So it could have affected the source of other applications at any point in that process, in a way that's impossible to trace back.
So anything that has come into contact with xz at any point in its build or distribution process, while this new maintainer was involved, is now suspect. That's... a double-digit percentage of packages on a typical system, I suspect.
xz
@eater (This is basically a 'trusting trust' type of situation, except one we have plausible evidence for)
xz, gloating
@joepie91 another nixos w