this post was submitted on 18 Jun 2026
59 points (91.5% liked)

linuxmemes

31788 readers
1726 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
  • Don't get baited into back-and-forth insults. We are not animals.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn, no politics, no trolling or ragebaiting.
  • Don't come looking for advice, this is not the right community.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
    • 5. πŸ‡¬πŸ‡§ Language/язык/Sprache
  • This is primarily an English-speaking community. πŸ‡¬πŸ‡§πŸ‡¦πŸ‡ΊπŸ‡ΊπŸ‡Έ
  • Comments written in other languages are allowed.
  • The substance of a post should be comprehensible for people who only speak English.
  • Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
    • 6. (NEW!) Regarding public figuresWe all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations.
  • Keep discussions polite and free of disparagement.
  • We are never in possession of all of the facts. Defamatory comments will not be tolerated.
  • Discussions that get too heated will be locked and offending comments removed.
    • Β 

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.

    founded 3 years ago
    MODERATORS
    zephyr@lemmy.world
    rtxn@lemmy.world
    59
    nixpkgs > aur (programming.dev)
    submitted 1 hour ago by danhab99@programming.dev to c/linuxmemes@lemmy.world
    13 comments fedilink hide all child comments
     

    cross-posted from: https://programming.dev/post/52191489

    top 13 comments
    sorted by: hot top controversial new old
    [–] RustyNova@lemmy.world 28 points 1 hour ago (3 children)

    As a nix user, I wouldn't laugh. We are vulnerable to this type of attack as well.

    Heck, it's surprising we aren't full of malware considering how many packages there are, and an easy supply chain attack vector with auto RyanTM PRs.

    [–] juipeltje@lemmy.world 5 points 54 minutes ago

    It's possible, but at the very least someone glances over the derivation since it's part of the actual nixpkgs repo right? AUR on the other hand is a wild west.

    [–] Kronusdark@lemmy.world 3 points 1 hour ago

    Yea. especially if you use flakes heavily. It’s so decentralized it could take longer to catch.

    [–] danhab99@programming.dev 2 points 55 minutes ago

    I don't see how it would happen. Nix is immune bc hashes are constantly checked, you can't swap in malicious code without a person noticing bc it might throw a mismatched hash error. Also nixpkgs has been really good about vetting packages, I don't expect them to look too closely into the source codes of everything but if something malicious were to happen like what is happening to AUR someone would see it way faster

    [–] panda_abyss@lemmy.ca 8 points 59 minutes ago* (last edited 56 minutes ago)

    AUR: it happened to me, and one day it will happen to you!

    This is still the shai hulud worm.

    There’s no reason nixpkgs hasn’t been hacked yet. It jest depends on a few devs credentials being stolen, either by vscode, an npm package, a pypi dep, etc.

    [–] sudoMakeUser@sh.itjust.works 11 points 1 hour ago (2 children)

    I remember when, I think it was either a log4j or CUPS malware attack, Debian remained unaffected because the packages in its repos was too old.

    [–] Skullgrid@lemmy.world 3 points 21 minutes ago

    Slow and steady wins the race

    [–] adarza@piefed.ca 5 points 42 minutes ago

    debian stable misses a lot of the 'fun'.

    [–] UnfortunateShort@lemmy.world 4 points 42 minutes ago

    I mean, no one is stopping you from using Nix on Arch

    [–] Scipitie@lemmy.dbzer0.com 12 points 1 hour ago

    Running both ... Nixpkgs will rightfully laugh about this - in about a month once they caught up on recent events.

    Loving both arch and nixos though!

    [–] eestileib@lemmy.blahaj.zone 2 points 1 hour ago

    Y'all just haven't noticed yet.

    [–] phar@lemmy.world 1 points 1 hour ago

    We're any chaotic-aur packages affected?

    [–] Scipitie@lemmy.dbzer0.com 1 points 1 hour ago

    Running both ... Nixpkgs will rightfully laugh about this - in about a month once they caught up on recent events.

    Loving both arch and nixos though!