Nix 2.24.8 released fixing builtin:fetchurl credentials leak, severity 5.9 (moderate)

Sure, but without the advisory, most affected people would’ve felt less urgency to update to a just-released Nix version.

The only people who would’ve been “in the know” between Tweet and advisory are:

  • those who instantly check the release notes of every Nix release (and it’s not even clear where to find them)
  • those who follow DetSys on Twitter

It seems unfair that those who subscribe to security advisories on the Nix repo should be at a disadvantage here. And I’m sure it won’t inspire confidence in the professionalism of the team.

I think this is a pretty clear cut issue, @edolstra – don’t announce security fixes in the DetSys Twitter first!

16 Likes