Apologies for the delay. I was doing another webinar this week and got a bit in the weeds on that. While I do think that the issue of review processes and standards in Nixpkgs is real and vital, on due reflection I think that some of you are correct in saying that that doesn’t get to the heart of the issue, so I’ll elaborate a bit more.
Under ideal conditions it wouldn’t matter which cache you pull something from. A derivation has a store path and that store path is in a known cache because it was built by a properly functioning version of Nix, signed, and copied over. Now here the trusted builder part emerges as the key assumption. Because you could, in principle, have EvilNix calculate a store path from a derivation, insert whatever content into the Nix store, and then sign it and copy it over to c.n.o. And then unsuspecting victims use those contents in systems all over the world and bad things happen.
Fortunately, this has never happened. Instead, only a properly functioning Nix has ever built the things pushed into c.n.o., right? Hmmm, actually no:
For some period of time, Lix, not Nix, was building packages from Nixpkgs and presumably copying them over to c.n.o. Did Lix insert evil contents into those packages and have them masquerade as valid store paths? Doesn’t seem that way. Was this a big deal for me using Nix in my personal projects? Naw, not really. Should a small company running a few NixOS boxes lose sleep over this? Probably not.
But at root, and @arianvp has eloquently made similar points, it’s a question of risk modeling. If I were a CTO in, say, a financial institution or an automobile company, it would give me a great deal of pause knowing that some subset of store paths in c.n.o., even a small one, was built by not-Nix. I would wonder if similar incidents had occurred in the past. I would take things like this into heavy consideration when adopting an internal Nix strategy. More generally, the fact that something like this was possible in the first place would have made me inclined to build on my own infra long before this incident happened.
I’m not bringing this up to throw salt on old wounds or to call anyone out. I have no quarrel with the Lix project or any of the people involved with this incident. But I do think it illustrates the problem rather colorfully. So no, @samueldr, we at Determinate Systems don’t have any special insider knowledge about Nixpkgs or Hydra. We only have the public record. In the future, though, we’ll strive to do a better job of spelling out our reasoning when it comes to controversial recommendations like this. Some of the criticisms raised here were quite fair in this regard.