• Authors: J. Malka

• Preprint: hal-05326226

In March 2024, a backdoor was discovered in xz, a compression software widely used across Linux distributions. This work analyzes the backdoor's mechanics and explores how bitwise build reproducibility, systematically applied within the nixpkgs bootstrap, could have mechanically detected the compromise. It proposes a concrete verification scheme based on rebuilding suspect packages after the bootstrap from independently-sourced tarballs and checking for bitwise convergence.

• Full discussion: How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all