Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked. As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS. #security #integrity
@033b744f While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project. Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else. Either case, I think this is kinda FUD…
@7c36db82 I can't follow your accusation. The facts show that Microsoft got compromised since at least 2021-04. There is no claim by MS I know of that GH is completely separated from MS infrastructure that got compromised. Current NixOS setups are pulling from GitHub which belongs to Microsoft. Yes, this can be changed but that's not the point here at all. As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends. 1/2
@033b744f You are jumping from MSFT got compromised at time T to MSFT is still compromised and all GH repos are compromised with full capabilities for attackers. This is one of my accusation. > As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends. Assuming this without proof is, to be honest, conspiracy. I don't like Microsoft neither, but this is ridiculous.
@7c36db82 2/2 Yes, there is no proof or indication that anything happened to any GH repository yet. 👍 However, in IT security, you don't rely on lucky guess. A compromised network is still a compromised network and needs to be restarted from a clean status. It doesn't look like MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again. So where's the FUD in terms of reasoning?
@033b744f > So where's the FUD in terms of reasoning? > It *doesn't look like* MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again. I think you answered yourself very well. In IT security, lucky guess are not primitives to build threat models. Hypotheses, assumptions, economics, politics, technical measures and careful analyses are. What you are doing is just lucky guessing that MSFT didn't do any form of "reasonable" due diligence.