(no title)

> could've contributed SLSA attestations support to nix

That sounds like a great idea! However one important consideration is that while an artifact on nixpkgs may aim to replicate the function of the upstream package, it must adhere to and interoperate with the rest of the distribution. Ultimately, its 'ecosystem' is nix. Work that goes into writing and maintaining the nix build does not generally filter back upstream to impact the build integrity of, say, its associated PyPI package. So if users continue to consume from PyPI, improving nix won't serve them.

This is not to say that the long-term source of truth for packaging will remain the language registries. Just that today's reality demands we meet users where they are.

> Would love to see Google contribute to nix in this space :)

Same :)