Can someone ELI5 what’s going on? Seems like they are still fighting about Nix allowing a defense company to sponsor their conferences, and trying to ad hominem the project leaders.
Nix is already beyond fucked because they actively dismiss the need for appropriate security measures to prevent supply chain attacks. There were multiple discussions about this over the years that appear to have succumbed to neglect.
I wouldn’t trust nix, just like I don’t trust pip, brew, or a whole plethora of other package managers and repositories. They are just too neglectful
If I were to fully elaborate, I’d be typing for hours, so I’ll sum up:
pip - default behavior is to install to system-wide site packages. In a venv, it will try to upgrade/uninstall system packages without notice/consent unless you specify –require-virtualenv. Multiple things can fuck up your ENV to make the python binaries point to system-wide, while your terminal will still show you as in a venv. Also why TF would package metadata files need to be executable? Bad practice, -1/10
nix - they acknowledged years ago that they should probably have some kind of package signing and perhaps an SBOM or similar mechanism, but then did nothing to implement it and just said "oh well, guess we’re vulnerable to supply chain attacks, best not to think about it"
brew - installing packages parallel to your system packages manager, without containers. My chief complaint here is that brew is a secondary package manager that people might treat as a “set and forget” for some packages, rarely updating them. So what happens when a standard library used by a brew package is vuln? A naive Linux user might update their system packages but totally forget to update brew. And when updating brew, you can easily hit max_open_file_descriptors because kitchen sink
From there, it’s all extremely nit-picky and paranoid-fueled-- basically, none of the package managers I mentioned are conducive, in my eyes at least, to a secure and intuitive compute environment.
Unfortunately, there’s not much I can do about it except bang pots and pans and throw maintainers under buses when the issue that has been present for years rears it’s ugly head. Because they are the only ones who can change this, and pressure is the only thing that might motivate them to.
Those criticisms seem reasonable. Regarding package signing, are you referring to github.com/NixOS/nix/issues/613#issuecomment-1343…? Additionally, that default for pip seems veritably insane. I understand using system packages, but modifying packages outside the virtual environment is definitely weird.
We have heard from multiple people in multiple unrelated contexts that they are hoping for a hard fork of the entire community over the continued inaction on the toxic culture in the Nix project.
Oh yes, please. My experiences on the nix community forums and matrix have been soured by the actions of high-level contributors. They are simply unable to view things from another perspective and harshly defend their perceived territory. I accept that they make mistakes as we are all human, but they are aware of their positions of power and happily take advantage of it.
My major problem has been the documentation of the project and how top contributors are unable to accept how bad it is. Discussions about improvements and attempts at improving it at regularly shut down or impeded. Coming back to the “harsh defense of perceived territory”, it distinctly feels like existing teams are supposed to be the only ones making changes to the things they own. Contributions from “outsiders” never exit nix review hell and are nitpicked to death.
A hard fork doesn’t guarantee existing problems won’t be copy-pasted into a new community (humans be humans), but at least if a new one started there’d be an attempt at resolving existing problems.
(no, I’m not xz’ist - this is a real person with a real opinion)
Edit: I realise I don’t have the same issues as described in this open letter which seems to be focused on Eelco. There have been no interactions with the dude, so I can’t judge, but interactions with some high-level nix members haven’t been pleasant.
Yeah, I enjoy hitting F3 twelve times to find the beginning of mkDerivation documentation - silly me, I must’ve known to search for “stdenv” documentation. Or having to find the source-code of makeWrapper because the documentation for it is mostly in the make-wrapper.sh. Or trying to find a lib function in the unsorted list of library functions.
But why is reference documentation in the “manual” anyway and loaded as a single html? The configuration options are also one humongous html, but separated from the manual. So it is possible to separate the manual, but it hasn’t been done for some reason.
Python uses sphinx or mkdocs, rust uses cargo doc, and C/C++ (+ other languages) use doxygen, and they generate multi page, static, documentation with quite reasonable search, but for some reason nix went the single document way requiring Ctrl+F.
It is slowly getting better, but I find external sources to often be much better than the manuals.
My major problem has been the documentation of the project and how top contributors are unable to accept how bad it is. Discussions about improvements and attempts at improving it at regularly shut down or impeded. Coming back to the “harsh defense of perceived territory”, it distinctly feels like existing teams are supposed to be the only ones making changes to the things they own. Contributions from “outsiders” never exit nix review hell and are nitpicked to death.
I made a one time contribution to the nix docs, I also got the impression that managing documentation could be better but it did got accepted after a few changes.
With that said there are alternative projects that provide a form of documentation to nix.
Honestly, without concrete examples of why this is a problem, I just wish people wouldn’t do this. Open source projects aren’t democracies. They are do-ocracies. People get “positions” by getting off their arse and contributing. Nix OS surviving doesn’t depend on how many users it has. It depends on how many developers it has.
If critisism is coming from the developer base, fair enough. If it’s coming from the user base then all they are going to do is stop the developers wanting to do what they do, and then the project is dead.
I know there was the poor choice of sponsor for one of the live events recently, but I suspect this has opened the flood gates for people to pointlessly criticise from any direction.
People get “positions” by getting off their arse and contributing.
I have a lot of issues with the letter, but it’s hard to deny that certain demographics get better opportunities to have the free time & will to contribute. Does that mean you force other demographics in or not? I’m still on the fence as it the upsides have some drawbacks, but discussions should be had–especially by those other demographics & folks better educated on the topic than myself.
I know there was the poor choice of sponsor
It was a defense contractor I believe. I’m not pro-autonomous drones or anything, but it seems odd to hone in on a single sector. Defense makes obvious tools for killing in the form of weapons, but we wouldn’t have GPS or the internet, etc. without research from the sector either (also see dual-use technology). It’s easy to criticize the military industrial complex, but we have just as many non-military corporations & industries absolutely putting their profits above folks & the environment which is just as destructive–just not as immediate/obvious. If you start kicking out all unethical sponsors, you’re gonna end up with no sponsors under our current capitalist system that doesn’t put any value into or reward being ‘ethical’ or even giving the correct value for labor.
Considering the Internet, GPS and weather satellites, three widely utilised and ubiquitous global services rose out of DARPA, whilst I’m not American, taking issue with investment in a Linux distro is closing the barn door after the horse has bolted.
Wait until these people figure out where computers came from.
From reading the letter it seemed that they were more concerned with the lead developer’s conflict of interest with said defense company as their company, Determinant Systems, may or may not work with them. They can’t say due to an NDA which implies that they do work with them.
I think it is a bit of column A & a bit of column B in the case of defense as we’ve seen other cases of sections of the Nix community vehemently protest certain folks by employer for some political reason or other. But I was more riffing off the parent comment + developer communites in general than the letter specifically as well see this sort of callouts. For instance adjacently, at first blush I could get down with Hippocratic License but you can see how some of these things a really too muddy to be able to exclude entire industries over. It’s tough to handle the introduction of politics into a community, yet often you almost have to at a certain community scale.
I’m not terribly concerned over the ethics of the defense contractor, what I took away from the article is that Eelco develops some competing products for nix which are proprietary and leads the nix project. Massive conflict of interest he refused to address. Furthermore, his behaviour in the community isn’t very good - you could argue “But that doesn’t matter, what matters is that he writes good code”, however you would miss the point. Such behaviour has the potential to alienate current and future contributors - what open source projects need to keep going.
NextDNS. Has a setting to block all domains that’s newer than 30days. Which imo is a very very good idea to have on, considering malware and scams. And I very rarely visit such new sites, and if I do (I learnt now) I can just shive the url in Archive and it will show it to me that way.
You have to read thousands of words past Executive Summary to see what’s going on, which eventually turns out to be the usual left-right culture war (aargh…) The worst is that this actual theme is hidden in the links and is never directly mentioned in the letter.
The letter also stops short of taking side between left and right although the links clarify it’s obviously the former.
It instead accuses the NixOS platform of having “systemic” problems in “leadership,” “structure,” etc. etc. I was like, “just say it, you simply believe in a more progressive NixOS team.”
They only say “bad behaviors,” then define bad behaviors with abstract terms using one paragraph. That’s shortly after the text uses the metaphor of “missing stairs in a staircase”, without explaining what these missing stairs are about.
So abstract, without examples for all this depth of abstraction.
They go on with their “bad behavior”, bad behavior, bad behavior, and finally there are links. If you click on the first (?) of these links, you finally see that this one example was about minority representation in NixOS development. In the rest, you see examples of the usual conservative vs. progressive culture war.
Add comment