3·
1 year agoFaster, Pussycat! Kill! Kill!
Within a few minutes of watching it I knew it was going to be awesomely bad, and it lived up to my expectations
𝕙𝕖𝕝𝕡
- 0 Posts
- 5 Comments
Joined 4 years ago
Cake day: July 12th, 2020
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
I’ll be honest, I have no idea. Sometimes, I get nagged that a package is insecure, and it seems reasonable like an old version of Electron, and then I just sigh and add it to my list of packages to ignore that warning on.
Trust is a broad term. If you’re paranoid, find the package you care about here, and read every line:
https://github.com/NixOS/nixpkgs
If you’re slightly less paranoid, check the git blame logs for anyone that’s touched a package you care about. If you trust all of them, then you’re good.
If you’re less paranoid than that, assume that someone reasonable is in charge of that repo. You’ll get warnings about insecure packages. I’ve had to Ok a few insecure packages in my configuration.nix, because I assume the packagers are reasonable people. I may yet find out I’ve made a mistake.
Broadly speaking, I think it’s the same model as any other distro. Debian for example has volunteers that package stuff. You can go through the same process above and decide how paranoid you want to be for that as well.
This would tie in nicely to existing library systems. As a plus, if your account ever gets stolen or if you’re old and don’t understand this whole technology thing, you can talk to a real person. Like the concept of web of trust.