nixpkgs VS Home Assistant

> I'm sure that somewhere buried in a wall of text they state what this is all about

If they could've, they would've. Unfortunately, this has been a problem in the Nix community for a while. No one mentioned in this letter is an "abusive" "right-wing" "concern troll" by any stretch. None of evidence buried in this wall of text supports that assumption. Whether the authors realize it or not, this letter consists almost entirely of ad hominems and accusations of ulterior motives.

Just as an aide, I wrote "almost," because I do think the handling of the sponsorship was an issue here despite the letter framing this as not the central issue. Military sponsors aren't a great fit for a community of international volunteers, especially one trying to put AI on drones. I'm not comfortable with that either. But were the accused members of the Nix community abusing and concern trolling to push a right wing agenda? Definitely not.

The other issues though, are just disagreements. The letter is taking screenshots of random disagreements and claiming it as proof of, again, "abusive" "right-wing" "concern trolling" behavior. Some vocal members of the Nix community love to do this. All. The. Time.

They disagreed with me. They didn't do this or that. That means they must be against social justice. They're persecuting minorities. They're concern trolling. Oh, here's another person trying to stay away from all the arguing. They're complicit too.

This is the stated mentality of these vocal members. This is also the reason I avoid posting in NixOS Discourse and Matrix off topic chat channels. It just feels like some are more interested playing Game of Thrones. It's not representative of the community, but I don't want to attract unnecessary attention from the vocal few.

Actual concrete example. The Nixpkgs repository includes a file containing a list of maintainers. A PR was made against this file, and one member of the community asked the PR author if they can make the maintainer name the same as their GitHub username.

https://github.com/NixOS/nixpkgs/pull/120729#discussion_r621...

And this exploded. Way out of proportion. Some were pouncing on the member who made that comment. To me, the response seems far more abusive than the original comment ever was.

https://github.com/NixOS/nixpkgs/pull/120729#discussion_r621...

Accusations were flown, like "denying someone of a name." Seriously?

https://github.com/NixOS/nixpkgs/pull/120729#discussion_r622...

I feel bad about bringing this up, but it only seems fair to show the whole picture given the situation.

For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...

For example,

```

Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...

I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...

NixOS uses a monorepo and I think everyone's love it.

I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.

Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.

https://github.com/NixOS/nixpkgs

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

True, but irrelevant -- _some packages_, _somewhere_, do depend on xz, which, if built, requires pulling the source from GitHub (see the default.nix: https://github.com/NixOS/nixpkgs/blob/nixos-23.11/pkgs/tools...)

It's not the vulnerability that's a problem right now (NixOS was protected by a couple of factors) but rather GitHub's hamfisted response.

That is the problem.

We’ve noticed that some users have been asking about how to use older versions of Terraform in their Nix setups [1, 2]. This is an example of the diverse needs of people and the importance of maintaining backward compatibility. We hope that nixpkgs-terraform will be a useful tool for these users.

I think whateveracct was referring to is this link:

https://github.com/NixOS/nixpkgs/blob/master/pkgs/developmen...

What that file is doing, is building a package, and it essentially is a combination of what Makefile and what RPM spec file does.

I don't know if you're familiar with those tools, but if you aren't it takes some time to know them enough to understand what is happening. So why would be different here?

Apparently the same issue has been reported with Philips TV [1] and Fritz!Box [2] as well.

[1] https://github.com/home-assistant/core/issues/73643#issuecom...

[2] https://forum.openwrt.org/t/minidlna-creates-new-media-serve...

The plug would transmit power readings to my Home Assistant setup.

Home Assistant can cast dashboard/media/etc to your display and has shopping lists. https://www.home-assistant.io/

If you provided MQTT support like plenty of IoT companies do, then any open source home automation tool can integrate! Home Assistant (https://www.home-assistant.io/) have a grading system, so a local-first implementation would give you their highest score since they also really care about privacy. https://www.home-assistant.io/blog/2016/02/12/classifying-th...

It's hard not to raise a little smile at Google's automation scripts, which bare a not-entirely-passing resemblance to those of a certain other, more comprehensive home automation system...

You might consider looking into "Home Assistant".