I think thus far we still haven’t addressed OP’s concern regarding the trust model of Nixpkgs. FWIW I also don’t understand this trust model, and what threats it’s designed to address. I’ve heard this concern come up in the past, so I think it may be worth writing something up and putting it somewhere on the website.
Some basic questions I don’t know the answers to:
- How many people have push access to the
master
branch of nixpkgs? Who are they? - Is the
master
branch a protected branch, ie. all changes must come via PRs? If not, why not? - Are package maintainers only allowed push to the packages they own? Or do they have push access to arbitrary code anywhere in nixpkgs?
- Who (person/organization) is responsible for maintaining nixpkgs and is responsible for overseeing and certifying its security and integrity?
The question of whether or not builds are reproducible seems orthogonal to most of these questions IMHO, and I don’t think it’s a practical concern for security-oriented folks: they can always rebuild from scratch. But AFAIU we don’t have an official stance or policy on the security of nixpkgs itself.