I am paranoid about running unknown code on my machine. I have been using a MacBook for some years now, but the way I used to install any software was
brew like most developers.
Later I asked the question, “How do I trust my
brew installs?” But like most of us, I had to try new packages and deploy software to do my work.
I contribute to many different OSS projects, and I also wanted to keep the environments separate. For example, one of the OSS projects requires
go 1.15 whereas the other one needs
The question I get asked is, aren’t you overblowing the situation? No, I am not, and here are few examples of supply chain issues https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises and a great article by Paulo Gomes, Golang: stop trusting your dependencies!
Here are the things that I wanted for my new ENV
- I wanted an automatable environment.
- It has to be on a Linux box.
- It would be nice to have an immutable environment.
- It should be easy to maintain, and it would be great to have a community.
- I was ready to pay not more than $20 for my ENV per month. I meant for the hardware on a cloud instance. In my opinion, the cost of security is worth it.
With the above requirements, I ran into NixOS and nixpkgs. NixOS has a high learning curve like anything else, but I think it is worth the time spent on learning it.
Now my environment is still a Macbook with a terminal. I only install packages from the App Store or signed packages, which has reduced my attack vector.
I have different shell ENVs with nixpkgs for various projects:
I have tmux sessions for each ENV, which are still running on a single cloud instance VM. I can update packages and don’t have to worry about messing with the ENV’s or compromising my machine security.
It would be best if you were comfortable using CLI-based ENV. I have been using vim for a while now, and I don’t miss my UI for writing code.
2021-09-30 23:48 +0000