- What happens if you have a package installed that is in nixpkgs but not in this FIPS enabled repo?
- What tools have you tried to import the FlakeBOM created SBOM? Which ones worked?
The coverage between the FIPS and regular branch are the exact same. Any package not covered results in a cache miss. As for tools we’ve imported the SBOM into, we’ve tried a good handful of tools like Trivy, Grype, Sunshine, and Dependency Track. As long as a tool follows the CycloneDX v1.5 JSON specification, things should work. However, some tools do not fully support every feature so certain things (e.g. patches) may be ignored.
Maybe you guys can provide CachyOS-like architecture-specific optimized packages… 
Just stumbled upon this video (AUR got hacked): https://www.youtube.com/watch?v=nPVCoRHLWhA
From npm to nixpkgs, the level of freedom every package enjoys, could have catastrophic effects, in particular when the package is built locally.
In contrast with Maven pom.xml packages—which from memory—can’t do much other than copying JAR files into ~/.m2/.
Crazy times. One massive data leak or hack on an almost weekly basis. It was just a few days ago that Micro$oft got hacked—again.
I am even afraid of having my ~/.ssh compromised. Nevermind the good ol’ days where we could export our secret keys as env vars.
Crazy. Times.
Nix packages are built in a sandbox, they do not have access to your SSH keys during the build (on Linux at least; macOS Nix does not enable the sandbox by default).
nixpkgs isn’t quite comparable to the AUR. PRs to nixpkgs have to be merged by a committer (trusted maintainer) unless it is an automatically created update PR by the r-ryantm bot (or if the PR has been created by a committer).
“sandbox” (not a VM, not gvisor, not landlock)
secure packages
Literally a few hundred people that can merge anything any time, not even considering the upstream projects, but generate an SBOM and match known CVE numbers, it now sure is “secure” 
CVE remediation backed by an SLA
The one most based sentence in the post. This is what FOSS projects (meaning FOSS projects, not VC-backed startups) should learn to do in terms of interaction with “the industry”
A question, preliminary it may be,
How do we know these packages are compliant, if their source we cannot see?