• starman@programming.devOP
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    edit-2
    7 months ago

    That’s true, but you have to know there was a backdoor first. If someone doesn’t know, and they use the latest version, they’re vulnerable to attack

    • pbsds@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

      • Atemu@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 months ago

        That’s a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You’d trade one CVE for dozens of others.