[miloignis]

I think local reproducible dev environments is a great and less-intense way to get into Nix (the package manager)! https://devenv.sh/ is built on top of Nix as well to make it more approachable and user friendly for exactly your use case.

[lrvick]

I would note that while Nix is very well designed, and may be incredibly useful in untrusted dev environments, it should not be used to compile anything that touches production. Nix got where it is so quickly by mostly ignoring basic supply chain integrity like author package signing. It is always one compromised Github account or single dev workstation away from a massive supply chain attack.

Nix, NPM, Brew, Pip, etc all have basically the same blind trust security posture and should thus not be trusted. I generally suggest Debian in a container for a dual use dev/compile container made of signed/vetted/reproducibly-built dev/build/debug dependencies.

[jjj123]

As someone who knows nothing about package signing and security, are you saying that Nix is about as secure as NPM?

[lrvick]

Correct, and that is not a good thing.

[agent281]

I’ve been toying with the idea of using Nix for dev environments at work. What does devenv add on top of Nix?

Edit: And if you know, how does it differ from devbox?

[miloignis]

I haven't used devenv or devbox, I've taken the full Nix/NixOS plunge - sorry I can't be more helpful! I've just seen devenv on HN and glanced over its homepage and saw that it was based on Nix but supposed to be easier to use. If you want to jump straight to Nix itself, more power to you! There's a big learning curve, but I have found it very worth it.