I’m new to Nix and wanted to get my feet wet by using the Nix package manager. However, I wasn’t sure how these packages were made. Are these packaged by the community? Who do I need to “trust” when installing these packages? In general, I was looking for info on how nix packages are made and maintained.

  • 𝕙𝕖𝕝𝕡
    link
    fedilink
    61 year ago

    Trust is a broad term. If you’re paranoid, find the package you care about here, and read every line:

    https://github.com/NixOS/nixpkgs

    If you’re slightly less paranoid, check the git blame logs for anyone that’s touched a package you care about. If you trust all of them, then you’re good.

    If you’re less paranoid than that, assume that someone reasonable is in charge of that repo. You’ll get warnings about insecure packages. I’ve had to Ok a few insecure packages in my configuration.nix, because I assume the packagers are reasonable people. I may yet find out I’ve made a mistake.

    Broadly speaking, I think it’s the same model as any other distro. Debian for example has volunteers that package stuff. You can go through the same process above and decide how paranoid you want to be for that as well.

      • 𝕙𝕖𝕝𝕡
        link
        fedilink
        41 year ago

        I’ll be honest, I have no idea. Sometimes, I get nagged that a package is insecure, and it seems reasonable like an old version of Electron, and then I just sigh and add it to my list of packages to ignore that warning on.

        • @[email protected]OP
          link
          fedilink
          21 year ago

          I didn’t find anything concrete, but it seems that a package is automatically marked insecure if it has a dependency that has a known CVE. I wonder how that is done.

      • Atemu
        link
        fedilink
        31 year ago

        Manually.

        There have been efforts to automate this partially but they’ve stalled.