|
|
|
|
|
|
by elsjaako
390 days ago
|
|
|
The source code is retrieved from the official source of the package, and checked against a hash that is stored in the package definitions. All the package definitions are stored in a large github repository, and they are "code reviewed". For example, you can see where the xz sources get pulled from in the src section here: https://github.com/NixOS/nixpkgs/blob/nixos-25.05/pkgs/tools... As usual, wherever you get your software, if someone at the source sneaks in something malicious and no one notices it it gets in there. NixOs has no special mitigations against that (AFAIK). But you can be reasonably sure that the binary you have matches the official source of the software, with maybe some reviewed patches to get it to work in Nix's environment. The binaries are cached, so you don't have to build everything yourself. There is a command to rebuild the software from source yourself. Most packages are reproducible, about 95% of the distributed gnome version:
https://reproducible.nixos.org/nixos-iso-gnome-r13y/ |
|
|
In order for people to review Nix package definitions and patches, do they need to have their keys signed by other Nix contributors they meet in person like Debian contributors do?
https://www.debian.org/events/keysigning