Basically they are significantly safer because the review process is tedious and the PRs take ages to get reviewed. More over the read-only nature of the nix store make most of those techniques useless. You cannnot just take over packages the AUR way.
Moreover, if you use third party nix flakes, you are still safer because they are tied to a specific github repo, so if it gets forked by malicious actor you won’t get that update.
However you are still prone to upstream malware. That is nixpkgs probably won’t add malware but it could be there before packaging.
Does anyone know if the NixOS packages are safer from these types of attacks? As far as I know many packages are missing maintainers.
I read a reddit thread about this.
Basically they are significantly safer because the review process is tedious and the PRs take ages to get reviewed. More over the read-only nature of the nix store make most of those techniques useless. You cannnot just take over packages the AUR way.
Moreover, if you use third party nix flakes, you are still safer because they are tied to a specific github repo, so if it gets forked by malicious actor you won’t get that update.
However you are still prone to upstream malware. That is nixpkgs probably won’t add malware but it could be there before packaging.