joeyh at

Finally found time to read about the Nix functional package manager.

Some really neat ideas and rather cool results. For example, non-root users can install packages using the system package manager, without affecting other users.

Also it's quite interesting to me that nix is both a portable collection of software (linux/bsd/osx) and a standalone linux distribution.

Unfortunately, it seems to be about 15 years behind state of the art on security. Nothing is gpg signed; even https is not used to verify the downloads of the package lists (though once you have those, it does use sha256 sigs for binary downloads). Also, when downloading sources, it verifies them with only a md5sum, which is not secure, of course.

Wish I had the time to dive in and fix all that. As it is, I don't even feel comfortable installing it to have a play with it and learn more. (Wonder if the FSF's fork of this that uses scheme (GNU Guix) is any better?)

Amitai Schleier likes this.

warp, Mike Linksvayer shared this.

Guix verifies sources by SHA256 and Nix does this now, too.

The lack of signed archives is a known problem that is being worked on.  See

I got this information from Ludovic Courtès, the maintainer of Guix.  Hope I helped clear things up a bit. :)

David Thompson at 2014-02-09T22:06:03Z

joeyh, Mike Linksvayer likes this.