As always, I encourage people interested in this problem to look at its inventor’s pages on solving the root problems of verification of that software and security of software repos. Reference pages on high-assurance FLOSS and SCM security follow.
Both NixOS and Guix are likely going to need to lean heavily on Debian’s work in this arena, their manpower compared to both NixOS and Guix combined is nothing to sneeze at.
In fact, I depend heavily on Debian. Their security tracker and patch tracker make patching NixOS for security issues far easier.
As always, I encourage people interested in this problem to look at its inventor’s pages on solving the root problems of verification of that software and security of software repos. Reference pages on high-assurance FLOSS and SCM security follow.
http://www.dwheeler.com/essays/high-assurance-floss.html
http://www.dwheeler.com/essays/scm-security.html
That’s one of the fields that the Guix package manager aims to excel at: https://www.gnu.org/software/guix/
Which is based on Nix:
http://nixos.org/
Both NixOS and Guix are likely going to need to lean heavily on Debian’s work in this arena, their manpower compared to both NixOS and Guix combined is nothing to sneeze at.
In fact, I depend heavily on Debian. Their security tracker and patch tracker make patching NixOS for security issues far easier.
Update to say: Thank you, Debian, for everything.
It’s interesting that the “Formal definition” section only lists Debian as its single example: https://reproducible-builds.org/docs/formal-definition/ Surely this is something everyone needs, right?