I'm curious how much review happens in Nix packages. It seems like individual packages have maintainers (who are typically not the software authors). I wonder how much latitude they have to add their own patches, change the source repo's URL, or other sneaky things.
Not a lot in most cases. You’re still just grabbing a package and blindly building whatever source code you get from the web. Unless the maintainer is doing their due diligence nothing.
Goes the same for almost all packages in all distros though.
I’d say most of us have some connection to what we’re packaging but there are plenty of hastily approved and merged “bump to version x” commits happening.
Nixpkgs package maintainers don't usually have commit rights. I assume that if one tried to include some weird patch, the reviewer would at least glance at it before committing.
OCaml's opam does have a review process, although I'm not sure how exhaustive. It's got a proper maintenance team checking for package compatibility, updating manifests and removing problematic versions.
I don't think this would be viable if the OCaml community grew larger though.
Some alternative sources for other languages do it. Conda-forge has a process that involves some amount of human vetting. It's true that it doesn't provide much protection against some kinds of attacks, but it makes it harder to just drop something in and suddenly have a bunch of people using it without anyone ever looking at it.
IMO C/C++ is not much better, sure, no central package management system, but then people rewrite everything because it's too hard to use a dependency. Now if you do want to use one of the 1000 rewrites of a library, you'll have a lot more checking to do, and integration is still painful.
Painless package management is a good thing. Central package repositories without any checking isn't. You don't have to throw away the good because of the bad.
Correct me if I'm wrong but the usual advice in the C/C++ world is just grab the source code of any libraries you want and build them yourself (or use built-in OS libs). This is not great if you have a lot of dependencies.
bqmjjx0kac|11 months ago
bamboozled|11 months ago
Goes the same for almost all packages in all distros though.
I’d say most of us have some connection to what we’re packaging but there are plenty of hastily approved and merged “bump to version x” commits happening.
jowea|11 months ago
debugnik|11 months ago
I don't think this would be viable if the OCaml community grew larger though.
BrenBarn|11 months ago
SunlitCat|11 months ago
carlmr|11 months ago
Painless package management is a good thing. Central package repositories without any checking isn't. You don't have to throw away the good because of the bad.
JTbane|11 months ago
rcxdude|11 months ago