undefined | Better HN

0 pointsRGamma2y ago0 comments

Got any ideas what you would like to see instead/how to solve these pain points?

I've looked into running my own hydra instance recently. It's possible but I don't have the machine that I could host it on for my purposes right now (I would want to mirror the fixed output derivations and be able to compile most things in ramfs).

0 comments

2 comments · 1 top-level

PrimaryAlibi2y ago· 1 in thread

Great question but I'm not experienced enough developer to give the best answer. I don't know if it's possible to make this happen in the near enough future but the best would be if we could build the distro ourselves "reproducible builds". Then we can know for certain there are no added malicious modules added by the person signing the image.

Otherwise I think whatever the solution is, it must be a decentralized and censorship resistant solution, which means there must also be anonymity for the devs otherwise they can be forced to do bad things or even put in prison for working on a freedom software.

I think we can probably learn a lot from Monero's developers. I think the best solution is probably a fair launch DAO where everyone can vote on who should be allowed to be a developer, who will do the signing, which features we want, etc.

I think others can give better and more detailed answers than me. I will look into what hydra is that you mentioned.

RGammaOP2y ago

Hydra is the CI/CD platform executing jobs (the nixpkgs/NixOS job is defined in nixpkgs itself).

Having lurked for some years in the NixOS community I think it's too early to insinuate wrongdoing. It's no guarantee, but I believe all core contributors are giving their best. If malware gets distributed it's from upstream-compromised software.

The technological basis for verifiable IT is not well developed for now, but my guess would be they'd embrace it immediately (many core contributors come from the functional programming community). As things are, they are looking for resources to make core development sustainable. There's a million things to do (just look at the nixpkgs bug tracker). Cachix and hydra and the labor are expensive...

And dunno about the political angle. That sort of shit is part of life for decades in the distro space (and in most organisations of any kind) and we'll manage.

j / k navigate · click thread line to collapse