https://github.com/NixOS/nixpkgs/blob/c7623219fccf46b36370140d777ba61c85c9bb8d/pkgs/applications/graphics/inkscape/default.nix fetches from https://media.inkscape.org/dl/resources/file/inkscape-${version}.tar.xz, but visiting https://media.inkscape.org/dl/resources/file/ serves some sort of html page containing spam unrelated to Inkscape (excerpt below):
DAFTAR 1 AKUN UNTUK SEMUA JENIS GAME SLOT ONLINE
Is there a process to mark a package as possibly insecure without any existing CVE?
4 Likes
I think the source sha256 would prevent it from being downloaded in this case wouldn’t it? Unless the sha256 was obtained from a bad file.
2 Likes
Yep, the reason the package builds now is that the tar is cached in cache.nixos.org.
4 Likes
was inkscape’s site hacked? If that is true – is there some official news on that? What else is compromised in that case?
judging from the text it does seem to be related to some shady “slot machine” apk …
My concern is that there is a PR to bump version (inkscape: 1.2.2 -> 1.3, lib2geom: 1.2.2 -> 1.3 by leiserfg · Pull Request #245431 · NixOS/nixpkgs · GitHub), and I don’t know how we establish that this is “safe” code, as even the GitLab release (Releases · Inkscape / inkscape · GitLab) points back to the Inkscape domain (see the link “tarball from Inkscape website” which they consider to be the actual release).
The tarball does at least match the sha256 checksum posted on GitLab, so maybe this concern is superfluous, but I figured better report it than not.
