undefined | Better HN

0 pointscroon5y ago0 comments

But the broad issue will never be resolved. The entire foundation of society is built around some trust. What has proven to work is that we trust actors who are identifiable and have something to lose. This goes with everything from your bank, to government, to name brands, to your local restaurant.

Nix package managers/repositories have a level of scrutiny to get into, and highly dedicated people in charge of. Random github repos (or npm packages) are extremely low effort/risk to set up.

Of course the former can be abused, but the incentives are at least in its favor to likely be more trustworthy. And we have to make assumptions of trust everytime we sit down in our chair or turn on our computer, or plug in a space heater. We will never get around trust, but there are differences in levels of trust and trustworthiness.

0 comments

3 comments · 1 top-level

Foxboron5y ago· 2 in thread

>Nix package managers/repositories have a level of scrutiny to get into, and highly dedicated people in charge of. Random github repos (or npm packages) are extremely low effort/risk to set up.

That's not really true though. Nix doesn't support signed sources, there are no signatures in the package repository and in theory "John Doe" with no information can add packages and send pull-requests.

In practise nixpks is just a well moderated user repository and the level of scrutiny is less then the enterprise distros can offer.

https://discourse.nixos.org/t/trust-model-for-nixpkgs/9450

https://github.com/NixOS/nixpkgs/issues/20836

croonOP5y ago

Oh, I'll really show my ignorance here. You're right. I was interpreting Nix as *nix, and your average enterprise distro of linux.

Foxboron5y ago

Yes, it's not really easy when people use these ambiguous names and talk about them in ambiguous ways.

j / k navigate · click thread line to collapse