Comment by lrvick

NixOS made a decision to tolerate single party supply chain security to support as many packages as possible even if it means nixos cannot be used for high security applications. This is a perfectly acceptable stance IF they communicate their single-party-risk tolerant threat model honestly so people know they cannot trust nixos in high risk situations.

It absolutely does not have the supply chain security guarantees it is widely believed to have and that is my core problem with it.

Also you wanted to use stagex for haskell today anyway and accept the risks you totally can but you would want to make a docker build layer to import a pre compiled binary from the internet like nixos does, and then it is very explicit that your resulting software has single party trust. We should have all dependencies of haskell but we cannot safely offer it as a precompiled package. That said as an end user you can of course use stagex in any way that suits your own project threat model.

Happy to help if we can!