Background On Friday, March 29th, 2024, a historical and sophisticated security vulnerability (CVE-2024-3094) was discovered in the XZ Utils package and liblzma api in version 5.6.0 and 5.6.1. While this vulnerability mostly affects Debian and RedHat distributions, there was some interesting discussion regarding xz and Nix.
How did this affect Nix and NixOS? The truth is not a whole lot in reality. I saw conflicting reports, but supposedly, the tarballs of xz that Nix downloads were not infected.
If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade
That’s a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You’d trade one CVE for dozens of others.