The troubles affecting Arch’s AUR over the past week are now beginning to ripple through other open-source projects, prompting some to tighten their security measures. Determinate Systems has implemented a seven-day delay for Nixpkgs updates in its Determinate Nix distribution, citing supply-chain risks highlighted by the recent malware incident affecting the Arch User Repository.
To be clear: Determinate Systems is a separate company from the NixOS project, focused on commercial and developer tools for Nix, such as Determinate Nix, FlakeHub, and package security services. This change affects Determinate Nix, a downstream distribution for Linux, macOS, WSL, and CI/CD systems, not NixOS or upstream Nixpkgs.
The nixpkgs-weekly channel will still update weekly, but will now only adopt upstream Nixpkgs revisions after they have been public for seven days. Determinate Systems aims to offer a buffer period to detect critical issues or malicious changes before updates reach users.
This decision follows a recent malware campaign in the Arch User Repository, in which hundreds of malicious packages exposed users to supply-chain attacks. Determinate Systems notes that Nixpkgs faces similar risks, as many maintainers can merge their own pull requests without required peer review.
The company describes the cooldown as a practical mitigation, not a complete solution. Delaying new Nixpkgs revisions allows the community time to spot suspicious activity before updates are released by default.
The new delay is already deployed and enabled by default for all Determinate Nix users. Flakes using the default nixpkgs flake registry entry under Determinate Nix will automatically receive the delayed Nixpkgs updates.
Users outside Determinate Nix can manually opt into the delayed channel by directing their flake input to Determinate’s nixpkgs-weekly source. The company has also begun mirroring NixOS 26.05 through a separate delayed channel.
It is important to note this is not an official NixOS policy change. Upstream Nixpkgs has not implemented a mandatory seven-day delay. This update flow change applies only to Determinate Systems’ distribution and channels.
In addition, Determinate Systems urges the NixOS project to require peer review for Nixpkgs maintainer merges. The company recognizes this may slow merge speed initially, but believes it would address a major security gap.
For additional details, see the official announcement.
