this post was submitted on 25 Jun 2023
1 points (100.0% liked)
nixos
1262 readers
3 users here now
All about NixOS - https://nixos.org/
founded 4 years ago
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The current size of the Nixpkgs committers team is 197.
Not only that but also reviews and other community interactions.
You must be "known" among existing committers and have shown that you understand the "rules" of Nixpkgs; written and unwritten ones.
That is correct. We could push any commit we wanted into Nixpkgs.
Others would (hopefully) notice though and there's a bot which tells you "nono, bad committer" when you push a commit without PR ;)
It's possible to tamper with the binary but not the source code. A substantial change in build recipe always causes a change in derivation hash. Malicious code must be introduced in source code form.
To tamper with binaries, you'd need access to Hydra; more specifically its signing key. Committers do not have that kind of access.
Well, that's the hope anyways. Thankfully, we haven't had this system abused yet but I'd be more comfortable if there was a better system in place. Especially w.r.t. removing inactive committers that haven't actually been part of the project for a long time.