|
|
|
|
|
|
by lrvick
326 days ago
|
|
|
Plenty of wildly unsafe behavior is common in production infrastructure today. This is also why compromised corporate infrastructure is in the news so often. Few orgs hire or even contract security engineers with Linux supply chain and hardening experience, opting to blindly trust the popular options and their maintainers. NixOS knowingly discards vital supply chain integrity controls to minimize developer friction and maximize package contributions. It is a highly complex Wikipedia style distribution optimizing for maximum package variety which is absolutely fine and great for hobby use cases, but use in security critical applications is absolutely irresponsible. Guix goes some big steps further in supply chain integrity but still ultimately trusts individual maintainers. See this chart to understand how NixOS compares in terms of threat model https://codeberg.org/stagex/stagex#comparison |
|
|