nixbitcoindev explains right here that the extra safety offered by nix-bitcoin is because of minimalism, code reproducibility, compartmentalization and protection in depth.
nix-bitcoin makes use of NixOS which is a purely purposeful working system which signifies that it builds your entire working system from the supply code of each software of the Linux kernel leading to the identical system each single time it’s deployed.
With a normal Linux distribution it’s not doable to de-install all of the packages you do not want as it could finally end in a damaged system. NixOS has a type of method the place it goes by means of and calculates what you want and solely builds that. This minimalism considerably reduces the assault floor.
All the pieces is reproducible with NixOS, not solely Bitcoin associated software program resembling Bitcoin Core, c-lightning, lnd and many others however your entire stack together with the Linux kernel. In consequence you already know you might have precisely the identical system that everyone else has. That’s a very sturdy protection towards the builders inserting malicious code or code upstream getting compromised. As soon as the builders have verified the software program, throughout the hash it’s going to be the identical software program that everyone is utilizing.
Each service runs in its personal little field underneath its personal consumer. It could actually solely see its personal listing and with community namespaces it may’t even scope out your whole community. It could actually solely scope out its personal community and its Linux namespace and those it’s allowed to see. Outdoors processes outdoors of that community namespace can also’t look inside. That gives an excessive amount of safety as a result of now applications like Spark pockets that connect with your c-lightning, they’ll by no means see JoinMarket, they’ll by no means see Electrum, they’ll by no means see bitcoind. They’re maximally compartmentalized.
Protection in depth means placing up a number of partitions or a number of strains of protection. nix-bitcoin isolates by customers and isolates on the community stage with systemd.