|
|
|
|
|
|
by tombert
732 days ago
|
|
|
Sorry, I guess I didn't really mean to imply I was going to dissect everything line by line, but I can at least look to see if every package in there is directly open-source and if there are any packages that are being pulled in that are frequent security concerns. ETA: I know I can technically do that with Ubuntu or Fedora or OpenSUSE as well, it's not like it's a secret which packages they include, but what I like about NixOS Minimal or Arch is that I have to explicitly add every package I want. There are transitive dependencies obviously, so there of course can still be stuff on my machine I'm not happy with, but I still think it's better. |
|
|
As an individual, do you think you can do that? I know a lot of packages with security concerns where CVEs are never issued. You just need to go to their PRs and luck into finding descriptions of a security fix. I doubt this would scale for a given individual.