**Sven Slootweg** @joepie91@pixie.town · Mar 30, 2024, 10:41

**Sven Slootweg** @joepie91@pixie.town · Mar 30, 2024, 10:41

Sven Slootweg @joepie91@pixie.town

Mar 30, 2024, 10:41

It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...

**syn** @syn@ohai.social · Mar 30, 2024, 10:42

**syn** @syn@ohai.social · Mar 30, 2024, 10:42

Mar 30, 2024, 10:42

syn @syn@ohai.social

xz, gloating

@joepie91 another nixos w

**Sven Slootweg** @joepie91@pixie.town · Mar 30, 2024, 10:43

**Sven Slootweg** @joepie91@pixie.town · Mar 30, 2024, 10:43

Mar 30, 2024, 10:43

Sven Slootweg @joepie91@pixie.town

xz, gloating

@syn Yes, though arguably an accidental one, sort of - it's not really what the dependency system was *designed* for afaik, just a consequence of the design choices

**syn** @syn@ohai.social · Mar 30, 2024, 10:49

**syn** @syn@ohai.social · Mar 30, 2024, 10:49

Mar 30, 2024, 10:49

syn @syn@ohai.social

xz, gloating

@joepie91 I'd argue that "exact input tracking" is very much an explicit design goal

**Sven Slootweg** @joepie91@pixie.town · 2024-03-30T10:50:13Z

Sven Slootweg @joepie91@pixie.town

xz, gloating

@syn Yes, but not for the specific purpose of knowing what packages to rebuild if a backdoor were ever discovered

Mar 30, 2024, 10:50 · · Web · · ·

Resources

Developers

What is Mastodon?

pixie.town

More…