dotfiles VS nixpkgs

You can take a look at my nvim configs here. I’m a Ruby dev, and like to poke around with my nvim configuration as a hobby. I’m pretty happy with where I have it, although it’s always a work in progress.

Not an answer to you're question, but do youferl safe doing (https://github.com/jchilders/dotfiles/blob/main/Makefile#L34)

> sudo curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/in... | /bin/bash

piping the output of a curl command to sh without first checking the sha256 of the file you just got?

That was my impression. I’ve been doing this for years with Ruby, tmux, and some custom zsh widgets.

https://github.com/jchilders/dotfiles

These are my dotfiles. I'm a Rails dev, and I'm using neovim nightly + solargraph. Here's a partial screenshot of something I'm working on right now showing a rubocop warning for the current line. The window showing it is being provided by lspsaga.

I know people like playing with neovim’s terminal buffers these days, but in the spirit of “use the right right tool for the job”, I gave up on using nvim for things like this and went back to tmux. I have a mapping I use that runs rspec in the adjacent pane. It uses tmux’s send-keys to do the right thing. You could do the same thing, only instead of executing rspec, you would send it your tail command.

https://github.com/NixOS/nixpkgs/commits?author=neon-sunset

I see two signers in the top 6 displayed on https://github.com/NixOS/nixpkgs/graphs/contributors

For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...

For example,

```

Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...

I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...

NixOS uses a monorepo and I think everyone's love it.

I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.

Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.

https://github.com/NixOS/nixpkgs

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

True, but irrelevant -- _some packages_, _somewhere_, do depend on xz, which, if built, requires pulling the source from GitHub (see the default.nix: https://github.com/NixOS/nixpkgs/blob/nixos-23.11/pkgs/tools...)

It's not the vulnerability that's a problem right now (NixOS was protected by a couple of factors) but rather GitHub's hamfisted response.

That is the problem.

We’ve noticed that some users have been asking about how to use older versions of Terraform in their Nix setups [1, 2]. This is an example of the diverse needs of people and the importance of maintaining backward compatibility. We hope that nixpkgs-terraform will be a useful tool for these users.