nixpkgs VS direnv

For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...

For example,

```

Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...

I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...

NixOS uses a monorepo and I think everyone's love it.

I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.

Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.

https://github.com/NixOS/nixpkgs

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

True, but irrelevant -- _some packages_, _somewhere_, do depend on xz, which, if built, requires pulling the source from GitHub (see the default.nix: https://github.com/NixOS/nixpkgs/blob/nixos-23.11/pkgs/tools...)

It's not the vulnerability that's a problem right now (NixOS was protected by a couple of factors) but rather GitHub's hamfisted response.

That is the problem.

We’ve noticed that some users have been asking about how to use older versions of Terraform in their Nix setups [1, 2]. This is an example of the diverse needs of people and the importance of maintaining backward compatibility. We hope that nixpkgs-terraform will be a useful tool for these users.

I think whateveracct was referring to is this link:

https://github.com/NixOS/nixpkgs/blob/master/pkgs/developmen...

What that file is doing, is building a package, and it essentially is a combination of what Makefile and what RPM spec file does.

I don't know if you're familiar with those tools, but if you aren't it takes some time to know them enough to understand what is happening. So why would be different here?

#!/usr/bin/env nix-shell #! nix-shell -i bash #! nix-shell -p sops #! nix-shell -I https://github.com/NixOS/nixpkgs/archive/refs/tags/23.05.tar.gz source config.sh "$@"

I also made the export diff configurable, motivated by this post: https://github.com/direnv/direnv/pull/1233

Nice.

For years I've been using [direnv](https://direnv.net/) for this, setting environment variables which git picks up. This looks like a more feature complete equivalent, although to be honest I only really need switching of committer email and the SSH key used.

Direnv, for the uninitiated, loads and unloads environment variables when directories are entered and exited. Under every project folder there is a `$PROJ_DIR/.envrc` which contains:

buffer-env: A pure-Elisp version of the direnv utility. Useful to make Emacs aware of Python virtualenvs (which, judging by the questions posted here, is unfortunately still a complication for a lot of people). Similar to (and inspired by) envrc, but doesn't require the direnv program.

You can look at direnv to see this in action as they wrote shell hooks that get loaded into the shell profile and are executed on every prompt. https://direnv.net/

Yes, most Nix users employ https://direnv.net or the equivalent for your IDE of choice. Emacs for instance has https://github.com/purcell/envrc which set per-buffer variables.

The more applications I write, the more I tend to avoid typical config files in favor of using direnv [0] to set environment variables.

[0] https://direnv.net/