>Nix package managers/repositories have a level of scrutiny to get into, and hig... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Foxboron on Feb 10, 2021 \| parent \| context \| favorite \| on: Dependency Confusion: How I Hacked Into Apple, Mic... >Nix package managers/repositories have a level of scrutiny to get into, and highly dedicated people in charge of. Random github repos (or npm packages) are extremely low effort/risk to set up. That's not really true though. Nix doesn't support signed sources, there are no signatures in the package repository and in theory "John Doe" with no information can add packages and send pull-requests. In practise nixpks is just a well moderated user repository and the level of scrutiny is less then the enterprise distros can offer. https://discourse.nixos.org/t/trust-model-for-nixpkgs/9450 https://github.com/NixOS/nixpkgs/issues/20836

croon on Feb 10, 2021 [–]

Oh, I'll really show my ignorance here. You're right. I was interpreting Nix as *nix, and your average enterprise distro of linux.

Foxboron on Feb 10, 2021 | [–]

Yes, it's not really easy when people use these ambiguous names and talk about them in ambiguous ways.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact