Idk how the AUR works but I like that nix fetch the source from the repo and also check its hash from a maintainer provided one. Prevents repo hijacking.
Although it’s still pretty much vulnerable if the attacker controls both the nix file and the repo
Every *-git package also fetch it from the repo. The apt analogy is someone haven’t been maintaining the nixpkg and then it gets adopted by someone else. Now that someone else change the build script to be malware. So it is no fault of the upstream
Idk how the AUR works but I like that nix fetch the source from the repo and also check its hash from a maintainer provided one. Prevents repo hijacking.
Although it’s still pretty much vulnerable if the attacker controls both the nix file and the repo
Every *-git package also fetch it from the repo. The apt analogy is someone haven’t been maintaining the nixpkg and then it gets adopted by someone else. Now that someone else change the build script to be malware. So it is no fault of the upstream