|
|
|
|
|
|
by lrvick
824 days ago
|
|
|
Nix is mostly reproducible but does not require maintainers to sign their packages or commits, and most do not, which is a bare minimum for any security sensitive environment. In Guix signing is mandated and it is mostly reproducible, but the choice of scheme and lack of base container images make it unapproachable for many. Debian lead the way on signing and reproducibility, but package versions of things like rust are too far behind to be useful to most orgs. Arch in contrast to these is IMO easy to package for, has recent well maintained signed packages, has well maintained OCI images published, and is rapidly improving on reproducibility. Having at least one glibc distro that can meet this criteria is a big win for many use cases. Different tools for different projects and threat models. |
|
|
This is very easy to solve for.
>> choice of scheme
There was more wisdom when everyone at least tacitly acknowledge that maybe not everyone should be touching servers.