[blueflow]

No. Nix pulls in tarballs/sources like any other package build system.

[1una]

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

[api]

Computers have to run software that has to come from somewhere.

I’ve been expecting a supply chain apocalypse for some time now given that the Internet has become a dark forest.