@tomberek 12d
Other than the very explicit tracking of the packages, their dependencies, the full build instructions, the public history, cryptographic signatures for the pre-built binaries, and the trivial ability for anyone to re-build from source and audit the entire chain all the way from bootstrap if they wished?

I’m not sure what golden standard we are comparing this to. It is not perfect, but I’d say this is a far more solid bedrock upon which to build software than anything else I’ve encountered.

@jcpsimmons 12d
There are no security implications other than those brought by the user. Freeze and host your own copies of libraries in an overlay (or write your own). The developer chooses which packages to use and from where, VERY explicitly and with a SHA which is far more secure than NPM for example (which is in production…everywhere)
@anon291 12d
Every nix package has to be signed in order for it to be installed via binary cache.
@chriswarbo 12d
You can see exactly where everything's come from, using a command like:

  nix-store --query --tree "$(nix-store --query --deriver "$(which python3)")"