Geistesblitz: Empower our Trust Model through a Policy Decision Agent


To improve our trust model, the community as a whole has a need for a trusted agent to securely provide easily auditable and amendable policy decisions concerning modifications of certain parts of the reference repositories. Github’s all-in or out “commiter” model does not provide the granularity of control that this mega project needs.

There are several open source policy agents available. However, Open Policy Agent stands out through it’s flexibility (rego domain specific language), it’s wide ecosystem (eg even a pam implementation exists) and it’s portability providing transparent and well-defined policy decision APIs while decoupling policy definition (rego) and policy decision (daemon agent).

Decoupling the definition from the agent’s implementation has the decisive benefit to enact a gitops based workflow, in which policy decisions can be drafted revolving around a specific rego-implementing pull request against a repositories main branch under a designated path such as .github/policies (while not being coupled to github at all).

Impact analysis

  • For core stakeholders of the ecosystem, any agreed upon policy can be (relatively easily) implemented and discussions would not have be broadly limited by the cost of implementation.
  • For users of the ecosystem, a clear and auditable policy repository, will be a suitible foundation to increase trust levels in this diverse oss ecosystem.
  • A stringed policy process, enabled by such tooling, would become an excellent marketing tool for nix’ adoption stressing the security model adjacent to the reproducability guarantees that lay the foundations of nix.


Today I happen to find a yaml based implementation:

Yet, what if its domain model falls short of our intricate policy requirements? At least, we should have a comparative look.