1. Each package in Nixpkgs repo has assigned maintainer mentioned in source.
2. Nothing prevents you from using your own repo/hosting solution for Nix channel.
3. Writing or overwriting packages in Nix is dumb easy, so I do not see a problem here as well.
I started using Nix exclusively on macOS and I couldn't be happier. The best part IMHO is the fact that I can easily test different packages without permanently changing my system and dealing with clutter left by these.
So in general, this is less of the problem that you think it is, especially as you clone that repo locally, so you do not hit GH/Savannah on each installation.
I have the same experience. Using NixOS, not just NixPkgs, but it shouldn't matter.
Nix takes security very seriously. See e.g. [1]. Plus, a distribution that defines packages declaratively and makes things so reproducible is the ultimate tool to avoid many security issues.
Similarly, ‘guix lint’ has a CVE “checker” that reports CVEs that affect a given package [0]. Since the Guix package name might differ from the “CPE name” (the naming scheme devised by NIST), Guix package definitions can include the CPE name to make sure ‘guix lint’ will look for the right thing. ‘guix lint’ is also able to determine whether a vulnerability is already patched in the Guix package definition.
There’s also work on a ‘guix health’ program in the pipe [1], which is again complicated by this whole CPE story (which Vulnix seems to ignore.)
Last but not least, Guix has “grafts”, a mechanism that allows for fast security update deployment, meaning that rebuilding the world is unnecessary when applying a security update on a package deep down in the dependency graph [2, 3].
I started using Nix exclusively on macOS and I couldn't be happier. The best part IMHO is the fact that I can easily test different packages without permanently changing my system and dealing with clutter left by these.
So in general, this is less of the problem that you think it is, especially as you clone that repo locally, so you do not hit GH/Savannah on each installation.