For caching, this means avoid public caches like cache.nixos.org whenever possible and using trusted private caches like FlakeHub Cache instead. Public caches have lots and lots of good stuff in them, of course, but they’re massive and the security and review practices behind them are not always air tight. When you pull from them to build production systems, you’re working with a porous trust model. We built FlakeHub Cache as a strictly private cache with no public access whatsoever to fill this precise gap in traditional approaches to Nix caching.
Huh, that’s concerning, do you have more about the trustworthiness of the NixOS cache?
It would be of great concern if the cache cannot be trusted. Should I remove it from my secure systems?
(EDIT) There is no cause for concern. If you were concerned, like the people who asked me about this blog post, there is nothing but vague aspersion made at the NixOS project, all to prop-up a VC’s proprietary and private project.
The intended message, AFAICT, is as such:
If (as an organization, mainly) you have special needs that would benefit from a full rebuild of every package involved, you might want to remove the foundation’s cache, otherwise it will be used.
In doing so, you may want to use another cache. Otherwise it gets inconvenient to manage the rebuilds across deployments.
There are different products around managing private caches, and maybe doing more stuff too. There’s also the option of running one “from scratch” for private use. So as always, if you have special needs regarding builds, and don’t know how the NixOS ecosystem can manage those, don’t hesitate to consult, and maybe with more than one VC-backed business that has everything to lose if the adoption of their private platform is insufficient.
DISCLAIMER: I currently have no conflict of interest making these aspersions. I am not currently doing consulting work around the NixOS ecosystem, and am not currently looking for doing so. There are enough NixOS-ecosystem consultants that can help, including ones that will not have my bias, if you so prefer.