[ndriscoll]

I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time.

[djhn]

You probably know this, but a note for the benefit of people who don’t. The entire git history, including metadata, can be modified. Unless you have an independent offline remote to compare to, this method is not 100% guaranteed to detect tampering in all cases, for example if the nixpkgs repo is compromised (or your machines’ connection to your git forge is being MITM’d)