Issue description

Currently on nixos a lot of people can merge anything into master, and i and a few other nixos users are getting really scarred, as we are runnign nixos on production clusters and on laptops we use for critical production deployments. As i can see there are a lot of people(including myself) i have to trust with their pull requests, and there's no way i can review every commit. While we have stable releases, i have to run unstable on a lot of systems, since i have to use new pacakges, and i don't want and don't have time to backport eveything.

Possible solutions

• Split nixpkgs repo into nixcore and nixpkgs

And allow only a few developers(maybe top 10) to merge into nixcore and eveyone else to nixpkgs. By core i mean a base nixos system(what is base nixos system should be defined)

• Remove commit access for many developers(including myself)

This would be easiest solution, but would slow-down merge rate, which is not necessary that bad.

• Create nixpkgs security monitor/bot

This bot will look for changes of derivation input hashes and report on any change over provided pull requests on any critical package, and at least m/N of maintainers, will have to aknowledge pull request for pull request to be merged. Any direct commits into master(excluding trusted bots/commiters), will be reported automatically. We used to have nixos monitor, what has happend with that project?

I want to start discussion on this critical issue and see others ideas. A lot of other distros have tough review proccesses for someone to become a core maintainer. I would also like to perform security review of nixpkgs and would possibly pay some security researcher to inject code into nixpkgs/nixos on purpose, to see how bad security is, if you are fine with that?