A few months ago, we at Determinate Systems announced the release of Determinate Secure Packages, our curated secure subset of Nixpkgs with SLA-backed CVE remediation, optional FIPS-compliant packages, full cache coverage in
In the meantime, the importance of supply chain security found a way to go from “critical” to “OMG?!?” While memories of the xz backdoor, Shai Hulud, and S1ngularity linger, in 2026 we’ve been using LLMs to generate a whole lot more code and at an increasing rate, which has been amazing and transformative but also loaded with risks, especially in the absence of critical guardrails.
We’re not taking any of this sitting down. We’ve inaugurated some big changes to Determinate Secure Packages and made tons of progress, and today we wanted to give a broad-based update on where it stands—what it is, which distributions we’ve made available, what we’ve fixed, how we’re expanding the covered package set and making our platform more secure, and, last but not least, how you can get started securing your supply chain with Nix.
Determinate Secure Packages overview
In case you’re just tuning in, Determinate Secure Packages is Determinate Systems’ curated secure subset of Nixpkgs designed for the enterprise. It offers a wide range of things unavailable elsewhere:
-
Remediation of CVEs on SLA-backed timelines. That SLA includes 7 days for mitigating critical vulnerabilities and a
less rigid timeline for other severity levels. If a subset of your engineering org is currently mired in the game of whack-a-mole that is constant CVE patching, you can think of Determinate Secure Packages as a managed security service. -
Optional Federal Information Processing Standards (FIPS) builds for orgs operating under strict federal regulatory requirements in the United States. Our FIPS-compliant distributions provide compliant variants of OpenSSL and many other packages.
-
Signed packages. Every package is built on and distributed from our SOC2-Type-II-compliant infrastructure, complete with cryptographic signatures for provenance.
-
Total cache coverage. All packages in our curated subset are built on our secure infrastructure and cached in
FlakeHub Cache . That means no cache misses and no bewilderment when a simple Nix operation starts building gcc or some other low-level dependency that’s temporarily unavailable in a public cache.
You get all of the above with broad platform support.
All packages in our curated subset are built and cached for macOS on Apple Silicon (aarch64-darwin), Linux on 64-bit Arm processors (aarch64-linux), and Linux on 64-bit x86 processors (x86_64-linux).
RISC-V is also currently an upcoming target, which means that only partial coverage is provided, but we’re looking to expand that over time.
We originally envisioned and built Determinate Secure Packages for teams that are already heavily invested in Nix and looking to improve their security footing. What we’ve discovered, though, is that many organizations interested in Determinate Secure Packages aren’t yet invested in Nix at all and are actually looking to radically overhaul their supply chain story by adopting Nix and Determinate.
Determinate Secure Packages distributions
Since its release, we’ve expanded Determinate Secure Packages to include three different
secure-packages-rollingmasterbranch of Nixpkgs. You’ll want to use this one if you prefer living on the edge with unstable Nixpkgs.secure-packages-rolling-fipssecure-packages-rollingbut with support for FIPS.secure-packages-25.11
For organizations already on Nixpkgs 26.05, we’re hard at work on a 26.05 release and you should be hearing from us about that in the next few days. For the upcoming Nixpkgs 26.11 release in a few months, we expect to turn out a Determinate Secure Packages version almost immediately.
CVE remediation
SLA-backed CVE remediation is arguably the killer feature of Determinate Secure Packages, enabling large orgs to free up major engineering resources by offloading mountains of laborious work to a third party (hi!). To throw some illustrative numbers into the mix, since launch, we’ve addressed thousands of vulnerabilities across the various distributions of Determinate Secure Packages in just the last month.
And all of those fixes have been released well within the SLA window.
In some cases, we’ve even been able to patch CVEs and push fixed packages to
Expanded coverage within Determinate
Since the initial release of Determinate Secure Packages, we’ve begun building more and more of our own platform against it.
We’ve been building
These changes are not cosmetic. They’re essential to our compliance with various regulatory regimes, like SOC 2 Type II and FedRAMP—and, in turn, to our customers’ compliance with those same regimes.
Expanded package coverage
When we initially released Determinate Secure Packages, our covered package set included a few thousand packages. That number has now expanded well past 10,000 and will continue to expand in response to our customers’ needs. It includes:
- Everything required to build a baseline NixOS system
- Everything in Nixpkgs’ stdenv
- All the standard utilities you’d expect on Unix systems
- A vast range of language compilers and toolchains, such as Rust, Python, Node.js, and many others
It notably does not include more ancillary artifacts like Visual Studio Code extensions or Vim plugins, but in the future it might (depending on customer need, as always).
Getting started with Determinate Secure Packages
To get started with Determinate Secure Packages, reach out to us at sales@determinate.systems to furnish your organization with initial access.
Once you have access and you’ve completed
-
Convert your existing Nixpkgs inputs to use Determinate Secure Packages. Here’s an example for the
“rolling” distribution (essentially Nixpkgs unstable):flake.nix {inputs.nixpkgs.url = "github:NixOS/nixpkgs";inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure-packages-rolling/0.1";}Now everything in this flake that relies on Nixpkgs—dev environments, packages, NixOS systems, whatever—is built from Determinate Secure Packages. Need FIPS support? Use
secure-packages-rolling-fipssecure-packages-25.11secure-packages-26.05soon).Swap out a flake reference and move on.
-
Need to update your package set, perhaps to take advantage of a patched package? The standard Nix machinery will do:
Update to the latest version of your Determinate Secure Packages distribution nix flake update nixpkgs
And that’s really it! Determinate Secure Packages isn’t a traditional “integration” that requires refactoring or precious engineering resources. It’s “just” an alternative package set available through our platform. The real work happens on our side.
Coming soon: FlakeBOM
We began our supply chain efforts in earnest last year and we’re incredibly proud of the progress that we’ve made so far. Special thanks go out to Tristan Ross and Dom Hummel for their ingenuity and tireless effort. Determinate Secure Packages is already making a huge difference for several of our customers and we can only expect that to continue.
But as always with Determinate Systems, there’s much more on the way, and you’ll learn much more even this week.
On Thursday, we’ll tell you about the next major pillar of our supply chain efforts:
Make sure to tune in on Thursday to hear more. Until then, reach out to us if you want to learn more about becoming a Determinate Secure Packages customer (which comes with access to FlakeBOM!) or join us on Discord for a more relaxed discussion.
