To bring some actually productive talk into this thread; anyone doing work around a more compliance-oriented nix-based distro?
I know sbomnix exists (and that’s the main entrypoint for finally introducing nix at the startup I work at, easy to convince people nix is a good idea if you can explain that “distroless” containers aren’t littered with software you don’t use :p), but nixpkgs is absolutely littered with cruft that should never make it onto a production system (e.g. shittier), and it’s hard to keep track of the provenance or quality (including of maintenance) of individual modules/packages.
I think there absolutely is a world in which a much reduced scope of packages and modules (similar to the set of packages tested for -small), perhaps with a closer look to tying up the hardening story, is defined and maintained a bit more strictly. That’d make it much easier to talk to these kinds of companies about deploying NixOS in production, rather than just using it for dev. A subset like that would probably help define metadata for SBOMs, too, and limit that effort to a critical subset instead of the sisyphean task it’d be today.
I even wonder if some kind of function for producing scopes of package closures for systemd services would be possible, and enable fully locked-down services the way systemd upstream appears to intend Linux security working, instead of the massive hole that is /nix/store today.
I think it’d seriously help focus maintenance attention, too, instead of bogging maintainers down with the general accretion disk of packages.
… just trying to help y’all derail this thread with food for thought, at this point we have more metadrama posts from people asking what the drama is about than actual drama.