After our last update and a break over the holidays, we have met with GitHub again and have good news:
-
We now have fully sponsored free GitHub Enterprise Cloud for the NixOS organization!
This is something that has been talked about for the past few years, and greatly increases the limits on GitHub Actions and PR reviewers, while unlocking a lot of new functionality for fineāgrained permissions and audit log APIs.
-
GitHub have diagnosed and fixed the primary remaining cause of replication issues. Apparently, our diligent r-ryantm bot was causing replication issues because the API to open PRs did not automatically sync Git objects from a fork to the shared Nixpkgs fork network repository. This was something that affected repositories all over GitHub, and has now been fixed on their backend.
GitHub confirmed that they consider the scalability issues resolved and we donāt have any more scheduled calls with them, although we will keep the point of contact available and they will get in touch if anything comes up. We also have the merge conflict label job running again.
-
Weāre looking at creating a formal team around package provenance and SBOMs. This team would be delegated authority and responsibility to work on a design and implementation to improve Nixpkgs security and assist vulnerability tracking without unduly burdening maintainers, impacting performance, or letting tricky dependencies like those hidden inside fixedāoutput derivations fall through the cracks. Weāve already reached out to some prospective candidates, but invite anyone else interested in working on this upstream in Nixpkgs to reach out.
-
Following on from our decision about closed teams, we have finished working with existing teams to reorganize maintenance around topics rather than affiliation and updated the maintainer documentation to match.
Thanks again to @infinisil for diligent noteātaking during the GitHub calls, and as always, feel free to get in touch with us.
