I would like to share my worries when it comes to trusting nixpkgs. From this GitHub statistics page, we can see over 1 month, 3882 PRs have been merged by 555 people, this is very high and good for nixpkgs to stay up to date.
My problem is that there is so much activity, it’s impossible to review everything going in.
And NixOS modules is double edged here, it’s nice because the community provides you all the work you would normally have to do manually or automate with ansible/salt/custom scripts, but at the same time, any contributor can affect your production systems by modifying the modules.
With that activity, it may even be quite easy if you are skilled, to get merging rights for one account, and then create a second fake account to get authorization for it too, then you can easily create changes, approve and merge then in a single-user managed duo of GitHub accounts.
This could be partially mitigated by having a proper tool for comparing what changed EXACTLY between two NixOS derivations for the modules in use, but AFAIK this doesn’t exist yet, and if so, it would still be tedious to review every change made for daily updates.
I wondered if other people shared these worries.
Obviously, I’m fully aware that open source relies on trust, but it’s easier to trust something you can actually review as a single person, but nixpkgs is too big to be reviewed almost daily.