undefined | Better HN

0 pointsFoxboron5y ago0 comments

>Nix package managers/repositories have a level of scrutiny to get into, and highly dedicated people in charge of. Random github repos (or npm packages) are extremely low effort/risk to set up.

That's not really true though. Nix doesn't support signed sources, there are no signatures in the package repository and in theory "John Doe" with no information can add packages and send pull-requests.

In practise nixpks is just a well moderated user repository and the level of scrutiny is less then the enterprise distros can offer.

https://discourse.nixos.org/t/trust-model-for-nixpkgs/9450

https://github.com/NixOS/nixpkgs/issues/20836

0 comments

croon5y ago

Oh, I'll really show my ignorance here. You're right. I was interpreting Nix as *nix, and your average enterprise distro of linux.

FoxboronOP5y ago

Yes, it's not really easy when people use these ambiguous names and talk about them in ambiguous ways.