#nixpkgs is now the package repository with the most packages. It has the most up-to-date packages for a long time.
We achieve this with only 15% of the maintainers #AUR has (2. most packages). Imagine what we could achieve with that much package maintainers!
I maintain 22 packages myself including a custom kernel. It is quiet easy with Nix!
We also have 300+ open security issues.
Since we don't have that many maintainers, we should first tackle that before admitting more and more packages into the repository.
@ck ubuntu, debian and aur are still worse lol
@ck it's just for relation. we are not worse than other popular distros
that don't mean we should not improve that
@davidak this is comparing against distributions though, it's easy to package lots of things if you aren't rigorous at building everything from source.
@cbaines i guess you refer to AUR. we do build everything from source
AUR seem like a low effort way of packaging while in Nix, it's done properly
@davidak I don't know anything about AUR, but its my impression that sometimes nixpkgs derivations aren't particularly rigorous...
I new it was packaged for Nixpkgs, but I realise that its just copying many non-source things from the tarball build by the upstream project!
@davidak obviously, there's bootstrapping problems with things like GCC and low level tools.
But this is not processing the typescript, and including a phantomjs binary is a different issue.
@cbaines Nix and Guix user here, there are two complected issues here:
first, number of *useful* packages; Nixpkgs has plenty of them (some are binaries, some blobs, some broken) but majority of them Just Work™ (not in FSDG sense)
second, number of purely source based packages; here Nixpkgs is weak, there is no process to check whether we can rebuild a package from source, heck they even treat firmware blobs as libre.
Those are separate issues though and the OP ’s point is valid.
@davidak @cbaines Nix/Guix’s design choices allow small number of maintainers to do more work in comparison to traditional package managers which are inherently more messy thanks to mutation—to manage it we need more time (and heads).
Guix adds ethical/moral restriction (FSDG) which by definition *heavily* limits number of packages and requires much more work to add new.
Whether the restriction and its guarantees are worth the trade‑off depends on users and their values.
@davidak I get that you think Nixpkgs packages should build things from source, and I think that's great, but is there any policy or something written down somewhere that says new packages shouldn't be accepted if they don't build from source (apart from exceptional circumstances)?
@cbaines i think there is no written down rule, but i have seen it in the review process, that contributors are asked to do it properly
it's a good idea to write it down, so all contributors and reviewers are on the same page. i will try do do that. thanks!
do you know if there are similar rules in #GUIX?
@davidak that sounds good :D
As for Guix, I was anticipating that somewhere in the contributing guidance it would say packages should build the software from source, but I can't see that. Maybe I've missed it, but it looks like it might need explicitly staging in the Guix contributing guidance too...
@davidak JOSM looks like a good example of what I'm getting at, I'm pretty sure this isn't a "proper" package definition, at least one that builds from source and describes inputs/dependencies.
Whereas we have a proper package definition for JOSM in Guix :)
@davidak up to date packages like Xen 4.8.5 in NixOS? Even Debian stable has a newer version (4.11.4). Debian oldstable has the same version as NixOS. ;-)
@txt_file there is also Xen 4.10.4 available on NixOS stable and it's the default on unstable
NixOS has the most up-to-date packages, but 21.8% are out of date. xen seem to be one of them
most distros seem to have out-of-date xen with potential security issue https://repology.org/project/xen/versions
maybe no one cares about xen nowadays. why wouldn't one use KVM?
chaos.social – a Fediverse instance for & by the Chaos community