this post was submitted on 25 Jun 2023
13 points (100.0% liked)

nixos

1262 readers
2 users here now

All about NixOS - https://nixos.org/

founded 5 years ago
13
Who makes Nix packages? (lemmy.ml)
submitted 2 years ago by agile_squirrel@lemmy.ml to c/nixos@lemmy.ml
9 comments fedilink hide all child comments
 

I'm new to Nix and wanted to get my feet wet by using the Nix package manager. However, I wasn't sure how these packages were made. Are these packaged by the community? Who do I need to "trust" when installing these packages? In general, I was looking for info on how nix packages are made and maintained.

you are viewing a single comment's thread
view the rest of the comments
[–] help@lemmy.ml 6 points 2 years ago (4 children)

Trust is a broad term. If you're paranoid, find the package you care about here, and read every line:

https://github.com/NixOS/nixpkgs

If you're slightly less paranoid, check the git blame logs for anyone that's touched a package you care about. If you trust all of them, then you're good.

If you're less paranoid than that, assume that someone reasonable is in charge of that repo. You'll get warnings about insecure packages. I've had to Ok a few insecure packages in my configuration.nix, because I assume the packagers are reasonable people. I may yet find out I've made a mistake.

Broadly speaking, I think it's the same model as any other distro. Debian for example has volunteers that package stuff. You can go through the same process above and decide how paranoid you want to be for that as well.

[–] agile_squirrel@lemmy.ml 3 points 2 years ago (3 children)

How are packages marked as insecure? I assume that's from some sort of automatic build process? Is that done in Hydra (https://hydra.nixos.org/)? Or is that from manual, or a lack of manual review?

[–] Atemu@lemmy.ml 3 points 2 years ago

Manually.

There have been efforts to automate this partially but they've stalled.

load more comments (2 replies)
load more comments (2 replies)