Open source security at Astral

Posted by vinhnx 17 hours ago

Open source security at Astral(astral.sh)

327 points | 83 commentspage 2

Zopieux 12 hours ago|

The entire paragraph about version pinning using hashes (and using a map lookup for in-workflow binary deps) reminds me that software engineers are forever doomed to reinvent worse versions of nixpkgs and flakes.

I don't even love Nix, it's full of pitfalls and weirdnesses, but it provides so much by-default immutability and reproducibility that I sometimes forget how others need to rediscover this stuff from first principles every time a supply chain attack makes the news.

nDRDY 12 hours ago|

>worse versions of nixpkgs and flakes

You mean statically-compiled binaries and hash pinning? Those have been around a bit longer than Nix :-)

Zopieux 10 hours ago|||

Were they deployed at scale in such a way that most (open and some non-free) software is packaged as such? I've never seen this happen until nixpkgs.

tclancy 9 hours ago|||

Every generation thinks they invented sex. And hash pinning, which now sounds dirty.

ChrisArchitect 15 hours ago||

Earlier submission from author: https://news.ycombinator.com/item?id=47691466

anentropic 9 hours ago||

Super useful info... but I feel so tired after reading it

trashcan2137 14 hours ago||

Lengths people will go to rediscover Nix/Guix is beyond me

sunshowers 11 hours ago||

If it doesn't work on Windows, it is not a full replacement.

mkj 7 hours ago|||

Isn't Nix just reinventing what Vesta did for software reproducibility decades earlier? https://vesta.sourceforge.net/

3abiton 14 hours ago|||

I don't see the connection though?

Eufrat 14 hours ago|||

Nix provides declarative, reproducible builds. So, ostensibly, if you had your build system using Nix, then some of the issues here go away.

Unfortunately, Nix is also not how most people function. You have to do things the Nix way, period. The value in part comes from this strong opinion, but it also makes it inherently niche. Most people do not want to learn an entire new language/paradigm just so they can get this feature. And so it becomes a chicken and egg problem. IMHO, I think it also suffers from a little bit of snobbery and poor naming (Nix vs. NixOS vs. Nixpkgs) which makes it that much harder to get traction.

diffeomorphism 13 hours ago||

There are different notions of "reproducible". Nix does not automatically make builds reproducible in the way that matters here:

https://reproducible.nixos.org

It is still good at that but the difference to other distros is rather small:

https://reproducible-builds.org/citests/

trashcan2137 12 hours ago|||

Nix, if not used incorrectly (and they really make it hard to use it, both correctly and incorrectly lol), gives you reproducible and verifiable builds.

Unfortunately I have to agree with the sibling comment that it suffers from poor naming and the docs are very hard to grok which makes it harder to get traction.

I really hate the idea of `it's all sales at the end of the day` but if Nix could figure how to "sell" itself to more people then we would probably have less of those problems.

Zopieux 12 hours ago||

Reading the paragraph on hash pinning and "map lookup files" (lockfiles) made me audibly sigh.

tuo-lei 6 hours ago||

[dead]

philbitt 7 hours ago||

[dead]

jeremie_strand 9 hours ago||

[dead]

rajptech 6 hours ago||

[dead]

NeoBild 14 hours ago||

[dead]

gauravkashyap6 14 hours ago|

[dead]

More comments...