234
nixpkgs > aur
(programming.dev)
cross-posted from: https://programming.dev/post/52191489
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 18 Jun 2026
234 points (100.0% liked)
linuxmemes
31797 readers
780 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
- Don't come looking for advice, this is not the right community.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. ๐ฌ๐ง Language/ัะทัะบ/Sprache
- This is primarily an English-speaking community. ๐ฌ๐ง๐ฆ๐บ๐บ๐ธ
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed. ย
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 3 years ago
MODERATORS
It's possible, but at the very least someone glances over the derivation since it's part of the actual nixpkgs repo right? AUR on the other hand is a wild west.
I prefer to call it anarchy
Yes, on one hand every commit to nixpkgs needs review (to some degree) on the other hand there are far too many committers to nixpkgs.
There are also gaps such as the bots to auto-merge packages with maintainer approval, so a simple attack looks like this:
So nixpkgs is better than the AUR, but it isn't great and unlike Arch has no separate official repos.
Yeah if the url is https://i_hack.you/ yeah that will be easy to spot. But imagine an attacker just to a "patch update", updating the url and hash to the malicious repository, and use a typo squatted domain/repository, that will make it harder to spot.
No, it would actually be quite easy to spot.
Nixpkgs templates the source code url fro the url, and then it injects a variable
Here is an example from bash:
If the url were to be changed, it would show up as a change in git when someone is reviewing before merging.