undefined | Better HN

0 pointslrvick3y ago0 comments

I would note that while Nix is very well designed, and may be incredibly useful in untrusted dev environments, it should not be used to compile anything that touches production. Nix got where it is so quickly by mostly ignoring basic supply chain integrity like author package signing. It is always one compromised Github account or single dev workstation away from a massive supply chain attack.

Nix, NPM, Brew, Pip, etc all have basically the same blind trust security posture and should thus not be trusted. I generally suggest Debian in a container for a dual use dev/compile container made of signed/vetted/reproducibly-built dev/build/debug dependencies.

0 comments

jjj1233y ago

As someone who knows nothing about package signing and security, are you saying that Nix is about as secure as NPM?

lrvickOP3y ago

Correct, and that is not a good thing.

j / k navigate · click thread line to collapse

0 pointslrvick3y ago0 comments

0 comments

jjj1233y ago

As someone who knows nothing about package signing and security, are you saying that Nix is about as secure as NPM?

lrvickOP3y ago

Correct, and that is not a good thing.

j / k navigate · click thread line to collapse