Source

It’s the first time I see the concept of bootstrappability in the context of security.

Is it really worth the effort?

There are multiple ways to run a supply chain attack. With bootstrappability, one can be sure that the compiler is trusted, but what about the code that the compiler compiles? There was this recent attack to XZ utils, which shows that more attention is needed on the code being merged and compiled.

I think that this just creates a false sense of security.

Contrary to that, I had read about a BSD team (I think FreeBSD) that reviews all the code before each release. This way they have achieved ~5 RCE exploits throughout their entire history.

I don’t have any experience with guix, so I will not express any opinions towards that.

However, regarding NixOS:

• Yes, as a person with experience in the Nix language, I can confirm it’s awful
• The documentation of NixOS is a known issue, and there are currently efforts to improve it
• Talking about the trustability of binaries, by doing a quick search, I read that Guix builds are reproducible. This is true for NixOS as well. All upstreamed packages must have their version and the hash of the code (or artifact), to allow verification
• The community of NixOS is opting to maintaining flakes, because:
  • Some applications can simply not be built following the Nix guidelines. Examples are some electron apps (like Falkor) and apps that have weird toolchains (like bubblejail)
  • The reviewing process takes way too long, and PRs for upstreaming are often ignored. This forces a lot of people to just PR a flake.nix to the application, or maintain their own overlays (overlays are like overriding the available packages, while flakes are more like distributing Nix code in general)

I quickly went through the article, and I have a question: Why not Docker (or Podman) on NixOS?

NixOS has much larger community (although a bit toxic) and provides native tooling for managing OCI containers through Docker and Podman.