Comment by lrvick
2 months ago
Just a couple examples off the top of my head I have bumped into: Packages that cannot be full source bootstrapped like Haskell are allowed, so total trust is placed in a third party compiler binaries. Also in cases like qemu where binary blob firmware is in the repo, it is kept as is and not rebuilt from source. Determinism is also not mandated so there is no way to know if any of the non deterministic packages were faithfully built from source. There are no hard enforced rules in cases like these, only cultural guidelines that are followed optionally.
Compare to e.g. stagex which I founded specifically because nix did not wish to adopt a strict threat model that trusts no single individual, build machine, or third party binary.
Stagex is a remarkable achievement and one of the most exciting projects that I have encountered this year. I plan on migrating a few high value build pipelines in the near future. Thank you for the excellent work.
With that said, I also write a lot of Haskell and would be very sad if nixos dropped support because it was not yet fully bootstrappable. The NixOS supply chain and build pipeline could absolutely be meaningfully hardened, but I think that given the state of the ecosystem at large, and the project's widespread usage as a general purpose OS, achieving the kind of trust model and security guarantees offered by something like stagex is not yet realistic without making usability compromises that most of it's userbase would not find acceptable.
NixOS made a decision to tolerate single party supply chain security to support as many packages as possible even if it means nixos cannot be used for high security applications. This is a perfectly acceptable stance IF they communicate their single-party-risk tolerant threat model honestly so people know they cannot trust nixos in high risk situations.
It absolutely does not have the supply chain security guarantees it is widely believed to have and that is my core problem with it.
Also you wanted to use stagex for haskell today anyway and accept the risks you totally can but you would want to make a docker build layer to import a pre compiled binary from the internet like nixos does, and then it is very explicit that your resulting software has single party trust. We should have all dependencies of haskell but we cannot safely offer it as a precompiled package. That said as an end user you can of course use stagex in any way that suits your own project threat model.
Happy to help if we can!