NixOS binary caches are secured by public-key signatures, as well as HTTPS. Hashes for all source artifacts are checked by builders, and this is strongly enforced by a build sandbox that disables network access for derivations without a known output hash. NixOS is leading the effort toward reproducible builds (https://reproducible.nixos.org/), with many sources of nonreproducibility automatically ruled out by design.

Supply chain security is of course a massively multifaceted technical and social problem, but I’m curious what other distributions you think are doing it better in practice?

Nix packages are blindly and automatically signed by a single private key last I reviewed it. Bribe or compromise one person and the entire model fails. There is good reason to do this too given that many major blockchain projects use it for builds. Hundreds of millions to be made by one that impersonates the right maintainer before the right software release.

Also no signed commits or signed authorship means someone with Github access can just fake history and inject whatever they want after code reviews are completed, which will then be blindly and automatically signed.

Some of the people with write access to the nixpgs repo even have SMS recovery enabled on their github recovery email accounts. One sim swap to compromise all nix users. I will not call them out, but go try to do a email password reset on recent committers for yourself. A malicious github employee could also of course do whatever they want to an unsigned repo. Or a well placed BGP attack. Lots of options. It is hard to prevent such things, but author commit signing would mitigate the risk and can be enforced.

I made my case for this to the nix team but in the end it was concluded people would stop maintaining packages if they had to do the bare minimum like commit signing or hardware 2FA. https://github.com/NixOS/rfcs/pull/34

All this is fine, but it means effectively a decision was made for NixOS to be a hobby distro not suitable for any targeted applications or individuals. It really sucks, because I love everything else about nix design.

Instead I am forced to bootstrap high security applications using arch and debian toolchains which are worse than nix in every way but supply chain integrity given that all authors directly sign package sources with their personal well verified keys. They have a ton of other security and even their own supply chain problems but they at least can survive phishing, a malicious mirror, or a sim swap. It is a low bar nix sadly does not meet.

They are efforts underway. Look in to content-addressed-nix and Trustix.

But the way I understand it, the current trust model is no different than any other package manager, so this hardly seems like a fair criticism.

Trustix and CAN are -fantastic- for the problems they are intended to solve, but they only cover the consumption side of the supply chain. You can use these to ensure the binaries are built from the published code, or that you are using the right published code. You have no idea if the published git commits were not made by a sim swap compromised github account... because maintainers are not required to do the bare minimum such as signing commits.

Compare to arch, fedora, debian, and basically every other linux distro that has existed more than a decade. Every maintainer signs their own contributions with well known keys so they cannot be impersonated and so later stages of the supply chain cannot tamper with them.

Newer distros like Nix and Alpine decided do get rid of all that security overhead in order to attract a huge pile of randos as maintainers. I mean, it worked, but at a very high price.

I see. Yes, that is a bit disappointing.

I don't follow. The NARs are signed by a key that (presumably?) only Hydra has access to. (The signature is then recorded in the narinfo file). The integrity is the nixpkgs history, and the signature verification that happens when you pull the narinfo+NAR from a cache that hydra pushed to.

How can Hydra know the nixpkgs repo was not tampered with? Maintainers impersonated?

How can anyone know the Hydra signing key was not tampered with?

These are problems other linux distros have solved for decades by just requiring maintainers press a blinking yubikey or similar to sign their contributions.

Nix will refuse to accept any cache substitution that it doesn't have a trusted signature for. And if you distrust their cache, you can always disable it entirely or replace it with your own.

Signed by a single centralized key on an internet connected stack that how many people have control of?