NixOS update security

arena653 · November 20, 2025, 10:46am

Hey there,

I just read this thread on another forum. Is that really true and if so how could it be mitigated?

The whole thread I linked is a bit of a mess if you ask me and I’m not really sure what my take away should be from this.

Thanks!

TLATER · November 20, 2025, 11:19am

This comment sums it up pretty well (and no, it’s definitely not LLM-generated, it’s accurate and elaborate, and addresses things very precisely; LLMs don’t generate this level of quality): Remove NixOS or add warning in the recommendation - #10 by DailyChems - Tool Suggestions - Privacy Guides Community

Yes, you are ultimately trusting microsoft’s SSL certs when you call nix flake update. It’d be nice if nix could also verify commit signatures so this could instead be derived from community signatures, and there are proposals for that, but that isn’t in place today.

I agree trusting microsoft not to MITM you is a risk you’re not taking with other distros, where the updates are wholly signed by distro maintainer keys; There are however much easier ways to compromise nixpkgs than stealing microsoft’s SSL certificates, so the actual impact of this is a bit theoretical. You can indeed mitigate this pretty well if you distrust microsoft.

There are some wild other claims in that thread beyond that; the other people in the thread seem to not really understand how nix works.

rnhmjoj · November 20, 2025, 11:22am

nix flake update has no actual verification of the authenticity of the flake. Say you run a nix flake update and somehow the github repo or there’s a mitm attack to github, nix has no way of knowing if the original maintainers of the flake are the ones that sent you the current copy of the flake you have.

I don’t know much about flakes, but I guess they use https like everything else Nix fetches, so the MitM attack on Github is nonsense.

However, most if not all packages, do not verify a (say PGP) signature of the sources, but only a cryptographic hash, so if there is a malicious takeover of a repository, yes you’re going to be compromised.

raboof · November 20, 2025, 11:27am

Does anyone see which mention/recommendation of NixOS they’re proposing to remove (or add a warning to)? Curious about context.

(as mentioned above there’s some nuanced things to say about our trust of GitHub, but from that to “all the security is thrown out of the window” is quite a leap)

arena653 · November 20, 2025, 11:34am

NixOS is a recommendation on Privacyguides. The OP of the thread I linked wants to remove that recommendation as far as I understand.