**aeva** @aeva@mastodon.gamedev.place · Mar 30, 2024, 18:43

**aeva** @aeva@mastodon.gamedev.place · Mar 30, 2024, 18:43

aeva @aeva@mastodon.gamedev.place

Mar 30, 2024, 18:43

Question for the beautiful people out there who main guixsd: did guix's whole reproducible builds thing prevent the xz backdoor? I heard it was only present in binaries from the maintainer, so #guix should be immune right?

**robryk** @robryk@qoto.org · 2024-03-30T18:45:50Z

robryk @robryk@qoto.org

@aeva it was only (fully) present in _source tarballs_ from maintainer (but not in the repo), so that depends on where guix was getting its sources from.

Mar 30, 2024, 18:45 · · · ·

**aeva** @aeva@mastodon.gamedev.place · Mar 30, 2024, 18:46

**aeva** @aeva@mastodon.gamedev.place · Mar 30, 2024, 18:46

Mar 30, 2024, 18:46

aeva @aeva@mastodon.gamedev.place

@robryk aaaah

**robryk** @robryk@qoto.org · Mar 30, 2024, 18:47

**robryk** @robryk@qoto.org · Mar 30, 2024, 18:47

Mar 30, 2024, 18:47

robryk @robryk@qoto.org

@aeva

Also, its activation conditions were pretty strict (both at build time as well as at runtime), so there's a good chance it wouldn't enable itself there even if the malicious sources were used.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…