Nixpkgs core team update 2026-01-22

After our last update and a break over the holidays, we have met with GitHub again and have good news:

  • We now have fully sponsored free GitHub Enterprise Cloud for the NixOS organization! :tada:

    This is something that has been talked about for the past few years, and greatly increases the limits on GitHub Actions and PR reviewers, while unlocking a lot of new functionality for fine‐grained permissions and audit log APIs.

  • GitHub have diagnosed and fixed the primary remaining cause of replication issues. Apparently, our diligent r-ryantm bot was causing replication issues because the API to open PRs did not automatically sync Git objects from a fork to the shared Nixpkgs fork network repository. This was something that affected repositories all over GitHub, and has now been fixed on their backend.

    GitHub confirmed that they consider the scalability issues resolved and we don’t have any more scheduled calls with them, although we will keep the point of contact available and they will get in touch if anything comes up. We also have the merge conflict label job running again.

  • We’re looking at creating a formal team around package provenance and SBOMs. This team would be delegated authority and responsibility to work on a design and implementation to improve Nixpkgs security and assist vulnerability tracking without unduly burdening maintainers, impacting performance, or letting tricky dependencies like those hidden inside fixed‐output derivations fall through the cracks. We’ve already reached out to some prospective candidates, but invite anyone else interested in working on this upstream in Nixpkgs to reach out.

  • Following on from our decision about closed teams, we have finished working with existing teams to reorganize maintenance around topics rather than affiliation and updated the maintainer documentation to match.

Thanks again to @infinisil for diligent note‐taking during the GitHub calls, and as always, feel free to get in touch with us.

67 Likes

It looks like the first effect of upgrading to GitHub Enterprise has been a marketing email sent to every org member telling them about pull requests :sweat_smile:

Very sorry about that, and I’ve reached out to GitHub to try and make sure it won’t happen again.

37 Likes

Oh this is why I’m suddenly subscribed to all kinds of bullshit marketing mailing lists from GitHub? Lol I thought I clicked something by accident. Can we make sure we bulk unsubscribe everyone somehow? I unsubscribed myself now but would be nice to not spam people with marketing

7 Likes

Good work!

I don’t like that this deepens our integration and thus reliance on Github, but can’t deny that right now this is progress.

3 Likes

We don’t have much of a choice, unfortunately.

If it’s not GitHub, it’s going to be someone else we’ll have to rely on.

Wow this is awesome
I’d like to volunteer to help on the package provenance and SBOMs.
@qyliss How can I do it?

Have already posted updates about this on Matrix but should probably mention here as well: we’ve been in contact with GitHub about the marketing emails. They are on board with not sending them to open source projects. They’re working on it but do not have an immediate fix.

4 Likes

Right, we should have said that explicitly in the update post. Send us an email: nixpkgs-core@nixos.org

How did you manage to unsubscribe?

I’m getting about one email per day, to each my email addresses in GitHub (about 20 in total).

I’ve unsubscribed from all marketing emails in my address settings (which you have to do on a per-address basis), however that seems to be ignored.
Nor are the unsubscribe links in the emails working, those all lead to pages with 404 errors.
The same is true for the link in the List-Unsubscribe header.
And unsubscribing using the email address in that header also doesn’t seem to work.

I find that, frankly, unacceptable.

2 Likes

The ā€œnuclear optionā€ that should actually solve this problem is leaving the Enterprise.
Let’s see whether that actually stops them from sending me unsolicited emails.

I actually reached out to GitHub support about this because I’m in the same situation: I have unsubscribed manually from all my emails, and the unsubscribe link returns 404.

Got this as a reply (which is how I figured out it was because of NixOS):

Thanks for reaching out to GitHub Support. I’m sorry to hear about those unwanted emails. I believe that these are ā€œonboardingā€ emails sent to admins in new accounts, which in you case appears to be the NixOS organization. We have heard from other members of the NixOS organization and well and are looking into this. As for unsubscribing, were you trying to do this from a mobile device? We have heard from other users that the mobile unsubscribe link returns a 404, but the same link on desktop will work. If you are unable to unsubscribe still let me know and I can forward the request to unsubscribe all of your email addresses.

I’ve asked them to unsubscribe me manually, let’s see if that works on my case.

1 Like

Leaving the enterprise didn’t help.
I received additional unsolicited email today.

Given that I’m by no means an admin of the NixOS org / enterprise, so I don’t know why I would get any onboarding emails that are sent to admins.
I tried unsubscribing on desktop, that doesn’t help.

How did you contact github support?
I didn’t find a way to actually reach them.

If you want to go even more nuclear you can write an email to github support and mention the CAN-SPAM act and reporting them to the FTC. It’s not very polite but when unsubscribe links don’t work sometimes it’s your only option.