Today, we’re excited to announce long-term support for Determinate Secure Packages (DSP) version 25.11.
This variant is based on the nixos-25.11 branch of Nixpkgs but comes with industry-leading support, including:
- A 7-day
SLA for critical CVEs - Access to a tool called FlakeBOM that generates Software Bills of Materials (SBOMs) for Nix flakes (more on this new tool soon)
- Cryptographic signing
- Automated security scanning
- All
covered packages built on SOC 2 Type II infrastructure and cached inFlakeHub Cache
We sync with the upstream nixos-25.11 branch every two weeks at minimum, with a target of at least once a week.
We’ll do this until commits to this branch stop, at which point we will continue to monitor for and mitigate CVEs when necessary until end of May 2028.
If your organization is currently on Nixpkgs 25.11 and has signed up for access to DSP, switching to Determinate Secure Packages 25.11 is a one-line change in your flakes:
{ inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure-packages-25.11/0.1";}Get started
If you’re interested in Determinate Secure Packages, drop us a line at sales@determinate.systems to discuss terms or schedule a demo.
Once you’ve gained access, you can read
