I’m new to Nix and wanted to get my feet wet by using the Nix package manager. However, I wasn’t sure how these packages were made. Are these packaged by the community? Who do I need to “trust” when installing these packages? In general, I was looking for info on how nix packages are made and maintained.

  • agile_squirrelOP
    link
    fedilink
    arrow-up
    3
    ·
    1 年前

    How are packages marked as insecure? I assume that’s from some sort of automatic build process? Is that done in Hydra (https://hydra.nixos.org/)? Or is that from manual, or a lack of manual review?

    • 𝕙𝕖𝕝𝕡
      link
      fedilink
      arrow-up
      4
      ·
      1 年前

      I’ll be honest, I have no idea. Sometimes, I get nagged that a package is insecure, and it seems reasonable like an old version of Electron, and then I just sigh and add it to my list of packages to ignore that warning on.

      • agile_squirrelOP
        link
        fedilink
        arrow-up
        2
        ·
        1 年前

        I didn’t find anything concrete, but it seems that a package is automatically marked insecure if it has a dependency that has a known CVE. I wonder how that is done.

    • Atemu
      link
      fedilink
      arrow-up
      3
      ·
      1 年前

      Manually.

      There have been efforts to automate this partially but they’ve stalled.