|
|
|
|
|
|
by plaguepilled
1104 days ago
|
|
|
I love NixOS, but I am looking to move my workstation to Guix. The reason is that, it seems NixOS do not sign their packages. I've checked the messaging platforms, and while there seems to be a consensus that its not needed, I'm at present unconvinced (especially since Guix, to my knowledge, do require signing). On its own I'd actually be OK with looking past this, but the lack of documentation on mandatory access control, secure boot, and general sandbox consideration, makes me concerned on multiple fronts. Which is a shame, because like I said, NixOS is a delight to use. |
|
|
However, only Guix has signed commits in its repository (the repo contains package definitions) and a mechanism for secure updates: https://guix.gnu.org/en/blog/2020/securing-updates/
The problem goes well beyond though: as far as I know, Guix is the only project that has a Git repository that users can authenticate when they pull from it.