Maybe the CI could or maybe it already does some basic security checks on committed nix code?
Has the hash of the fetch changed? but not the version?
Has the https:// changed, and the hash, but the version remained the same?
is this excessive ‘non nix code bash/python/etc/etc’ in the commit?
As nix is a DSL , there is a chance for it performing mischief, but not as much as you think, and more importantly not keep well hidden… (deep in some shell script or dreaded binary).
Again, not everything is as critical in nixpkgs… some things are very critical.
I think if anything, Nix makes you think about these things like trust…, it make you have a good idea how software ‘is built’, assembled together and how much trust has to be in the chain.
It’s only when you see how much ‘trust’ goes into building a binary package…that you wonder why it works as good as it does.
where as many distro’s it’s a case
and you forget about all this, and make a coffee.
I vote for a nixos ‘chaos branch’, where anyone can directly commit , just to see what happens ;-);