NixOS and reproducible builds could have detected the xz backdoor

How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all Published on 2025-03-20 Estimated reading time: 22mn Introduction In March 2024, a backdoor was discovered in xz , a (de)-compression software that is regularly used at the core of Linux distributions to unpack source tarballs of packaged software. The backdoor had been covertly inserted by a malicious maintainer under the pseudonym of Jia Tan over a period of three years. This event deeply stunned the open source community as the attack was both of massive impact (it allowed remote code execution on all affected machines that had ssh installed) and extremely difficult to detect. In fact, it was only thanks to the diligence (and maybe luck) of Andres Freund – a Postgres developer working at Microsoft – that the catastrophe was avoided: while investigating a seemingly unrelated 500ms performance regression in ssh that he was experiencing on several Debian unstable machines, he was able to tr ... Read full article.