125
open letter to the NixOS foundation
(save-nix-together.org)
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I wonder if this is social engineering along the same vein as the xz takeover? I see a few structural similarities:
My advice to those attacked here is to keep up the good work on Nix and NixOS, and don't give in to what could be social engineering trying to manipulate you into acting against the community's interests.
Don't know anything about this particular case so while "social engineering to create a backdoor" is certainly a possibility, so is the more straightforward explanation that it is drama about real or perceived problems in the nix community. I think that it's dangerous to dismiss this altogether because of the recent xz debacle.
Too many people involved I think, someone will have to check this but all those members with names attached look like real developers who were significantly contributing to the project. It is perfectly possible for a dictator for life to have festered a toxic culture that got worse over time, and has happened multiple times before.
How much of those are actual people? I count half a dozen git links in the signatures. Those could belong to a single attacker. Everyone else either has an email or an unlinked handle. Who knows if they are Nix devs?
How do you know that’s “KA”?
I think you're right to be suspicious. The XZ attack has showed that there are people and organisations out there that would love to get hold of a piece of trusted critical infrastructure like Nix. They'll go the long lengths to do it, manipulate people, and exploit the maintainer's desire to do the right thing.
And if the person can't stand by their critism and can only give wooly examples, then best to ignore it.
I agree. This immediately jumped out to me as a social engineering attack when they started spouting off about "more people with commit access" and otherwise being anonymous and most of the signatories not on the contributor list, especially at the start.
The original signers include members of the infrastructure and moderation teams. You can find about half of them on Mastodon. They're all well-established community members who hold real responsibility and roles within the NixOS Foundation ecosystem.
Also note that Eelco isn't "a maintainer" but the original author and designer, as well as a de facto founder of Determinate Systems. He's a BDFL. Look at this like the other dethronings of former BDFLs in the D, Python, Perl, Rails, or Scala communities; there's going to be lots of drama and possibly a fork.
You're right. I incorrectly believed that hexa had signed based on their comments elsewhere, but I was wrong.