[pkulak]

> without signature or review

What are you on about now? I got _one_ of my projects accepted into NixPkgs a couple years ago and have never done it since due to the huge PITA it was to find someone with contributor rights to sign off on it. If I want to update it, same hassle. Now I prefer to just throw a flake in the root of the project and call it good, which actually works really well.

Wait until you find out that Arch has both secure boot and the AUR.

[lrvick]

Anyone with contributor rights can make a fake identity, make a PR with it, then merge their own PR. Effectively no oversight.

Also, because there is no signing, git history can be rewritten easily or people can impersonate each other in git history easily.

This sort of posture is why I am totally serious when I say one compromised Github token can backdoor all nix users.

[pxc]

You have to be either a committer in general or a maintainer of a specific package to merge PRs into Nixpkgs. Contributors' PR approvals in Nixpkgs are just an informal signal for maintainers and committers to consider. And maintainers can only merge changes related to the packages they maintain, not other random changes.

[lrvick]

But a maintainer could merge their own PR created by a pseudonym, and signing is not required, so in effect, they can ship any changes to their own packages they wish. This is a major supply chain security risk.