I wonder if this is social engineering along the same vein as the xz takeover? I see a few structural similarities:
- A lot of pressure being put on a maintainer for reasons that are not particularly obvious what they are all about to an external observer.
- Anonymous source other than calling themselves KA - so that it can’t be linked to them as a past contributor / it is not possible to find people who actually know the instigator. In the xz case, a whole lot of anonymous personas showed up to put the maintainer under pressure.
- A major plank of this seems to be attacking a maintainer for “Avoiding giving away authority”. In the xz attack, the attacker sought to get more access and created astroturfed pressure to achieve that ends.
- It is on a specially allocated domain with full WHOIS privacy, hosted on GitHub on an org with hidden project owners.
My advice to those attacked here is to keep up the good work on Nix and NixOS, and don’t give in to what could be social engineering trying to manipulate you into acting against the community’s interests.
Don’t know anything about this particular case so while “social engineering to create a backdoor” is certainly a possibility, so is the more straightforward explanation that it is drama about real or perceived problems in the nix community. I think that it’s dangerous to dismiss this altogether because of the recent xz debacle.
Too many people involved I think, someone will have to check this but all those members with names attached look like real developers who were significantly contributing to the project. It is perfectly possible for a dictator for life to have festered a toxic culture that got worse over time, and has happened multiple times before.
How much of those are actual people? I count half a dozen git links in the signatures. Those could belong to a single attacker. Everyone else either has an email or an unlinked handle. Who knows if they are Nix devs?
Removed by mod
How do you know that’s “KA”?
I think you’re right to be suspicious. The XZ attack has showed that there are people and organisations out there that would love to get hold of a piece of trusted critical infrastructure like Nix. They’ll go the long lengths to do it, manipulate people, and exploit the maintainer’s desire to do the right thing.
And if the person can’t stand by their critism and can only give wooly examples, then best to ignore it.
I agree. This immediately jumped out to me as a social engineering attack when they started spouting off about “more people with commit access” and otherwise being anonymous and most of the signatories not on the contributor list, especially at the start.
The original signers include members of the infrastructure and moderation teams. You can find about half of them on Mastodon. They’re all well-established community members who hold real responsibility and roles within the NixOS Foundation ecosystem.
Also note that Eelco isn’t “a maintainer” but the original author and designer, as well as a de facto founder of Determinate Systems. He’s a BDFL. Look at this like the other dethronings of former BDFLs in the D, Python, Perl, Rails, or Scala communities; there’s going to be lots of drama and possibly a fork.
deleted by creator
You’re right. I incorrectly believed that hexa had signed based on their comments elsewhere, but I was wrong.
Removed by mod
We have heard from multiple people in multiple unrelated contexts that they are hoping for a hard fork of the entire community over the continued inaction on the toxic culture in the Nix project.
Oh yes, please. My experiences on the nix community forums and matrix have been soured by the actions of high-level contributors. They are simply unable to view things from another perspective and harshly defend their perceived territory. I accept that they make mistakes as we are all human, but they are aware of their positions of power and happily take advantage of it.
My major problem has been the documentation of the project and how top contributors are unable to accept how bad it is. Discussions about improvements and attempts at improving it at regularly shut down or impeded. Coming back to the “harsh defense of perceived territory”, it distinctly feels like existing teams are supposed to be the only ones making changes to the things they own. Contributions from “outsiders” never exit nix review hell and are nitpicked to death.
A hard fork doesn’t guarantee existing problems won’t be copy-pasted into a new community (humans be humans), but at least if a new one started there’d be an attempt at resolving existing problems.
(no, I’m not xz’ist - this is a real person with a real opinion)
Edit: I realise I don’t have the same issues as described in this open letter which seems to be focused on Eelco. There have been no interactions with the dude, so I can’t judge, but interactions with some high-level nix members haven’t been pleasant.
My major problem has been the documentation of the project and how top contributors are unable to accept how bad it is. Discussions about improvements and attempts at improving it at regularly shut down or impeded. Coming back to the “harsh defense of perceived territory”, it distinctly feels like existing teams are supposed to be the only ones making changes to the things they own. Contributions from “outsiders” never exit nix review hell and are nitpicked to death.
I made a one time contribution to the nix docs, I also got the impression that managing documentation could be better but it did got accepted after a few changes.
With that said there are alternative projects that provide a form of documentation to nix.
deleted by creator
Yeah, I enjoy hitting F3 twelve times to find the beginning of
mkDerivation
documentation - silly me, I must’ve known to search for “stdenv” documentation. Or having to find the source-code ofmakeWrapper
because the documentation for it is mostly in themake-wrapper.sh
. Or trying to find a lib function in the unsorted list of library functions.But why is reference documentation in the “manual” anyway and loaded as a single html? The configuration options are also one humongous html, but separated from the manual. So it is possible to separate the manual, but it hasn’t been done for some reason.
Python uses sphinx or mkdocs, rust usescargo doc
, and C/C++ (+ other languages) use doxygen, and they generate multi page, static, documentation with quite reasonable search, but for some reason nix went the single document way requiring Ctrl+F.It is slowly getting better, but I find external sources to often be much better than the manuals.
deleted by creator
Lol, I’m a contributor nix related projects (and formerly nixos) with rejected doc related PRs. I tried to help and it wasn’t wanted 🤷
So sorry for having an opinion on the perfect state of nix/nixos documentation. I must not be seeing its perfection.
deleted by creator
Could someone share the contents of it? Have newly registered domains blocked by default.
WayBackMachine copy : https://web.archive.org/web/20240421184131/https://save-nix-together.org/
Thank you 🙌
You’re not missing anything. Also I’d like to know how you’re blocking those.
NextDNS. Has a setting to block all domains that’s newer than 30days. Which imo is a very very good idea to have on, considering malware and scams. And I very rarely visit such new sites, and if I do (I learnt now) I can just shive the url in Archive and it will show it to me that way.
Fork it, maintain it, and move on. RHEL was forked into Alma/Rocky when the original provider’s goals, and their community’s goals were not in alignment. So far, the forks have improved the ecosystem over all. Fork Nix/NixOS and build the community. Its no different than the Debian derivatives like Mint or Ubuntu.
deleted by creator
Can someone ELI5 what’s going on? Seems like they are still fighting about Nix allowing a defense company to sponsor their conferences, and trying to ad hominem the project leaders.
not without getting all my messages removed by mods, apparently. they’re probably either in on it or being harassed by these people too.
I can’t say I care much about this. It sounds like they are just making noise
I have never used Nix and I don’t see its immediate applications for what I do but seeing this has me concerned about adopting it.
Nix is already beyond fucked because they actively dismiss the need for appropriate security measures to prevent supply chain attacks. There were multiple discussions about this over the years that appear to have succumbed to neglect.
I wouldn’t trust nix, just like I don’t trust pip, brew, or a whole plethora of other package managers and repositories. They are just too neglectful
Can you elaborate?
If I were to fully elaborate, I’d be typing for hours, so I’ll sum up:
- pip - default behavior is to install to system-wide site packages. In a venv, it will try to upgrade/uninstall system packages without notice/consent unless you specify
--require-virtualenv
. Multiple things can fuck up your ENV to make the python binaries point to system-wide, while your terminal will still show you as in a venv. Also why TF would package metadata files need to be executable? Bad practice, -1/10 - nix - they acknowledged years ago that they should probably have some kind of package signing and perhaps an SBOM or similar mechanism, but then did nothing to implement it and just said “oh well, guess we’re vulnerable to supply chain attacks, best not to think about it”
- brew - installing packages parallel to your system packages manager, without containers. My chief complaint here is that brew is a secondary package manager that people might treat as a “set and forget” for some packages, rarely updating them. So what happens when a standard library used by a brew package is vuln? A naive Linux user might update their system packages but totally forget to update brew. And when updating brew, you can easily hit max_open_file_descriptors because kitchen sink
From there, it’s all extremely nit-picky and paranoid-fueled-- basically, none of the package managers I mentioned are conducive, in my eyes at least, to a secure and intuitive compute environment.
Unfortunately, there’s not much I can do about it except bang pots and pans and throw maintainers under buses when the issue that has been present for years rears it’s ugly head. Because they are the only ones who can change this, and pressure is the only thing that might motivate them to.
Those criticisms seem reasonable. Regarding package signing, are you referring to https://github.com/NixOS/nix/issues/613#issuecomment-134361033? Additionally, that default for pip seems veritably insane. I understand using system packages, but modifying packages outside the virtual environment is definitely weird.
- pip - default behavior is to install to system-wide site packages. In a venv, it will try to upgrade/uninstall system packages without notice/consent unless you specify
Removed by mod