Verifying package integrity with the CLI

[gomesdigital]

What problem are you trying to solve?

I am unsure that the packages I install are legitimate.

As a new user it is understood that devbox is an abstraction on Nix and is fetching Nix packages. Yet, I'd still like to ensure that what I've installed has not been tampered with and is the package as intended. Comparing some of the package names shows its an easy mistake:

e.g. mysql, which has the description An enhanced, drop-in replacement for MySQL (and I'm unable to find on search.nixos.org)
vs mysql80, which seems to be the genuine edition of mysql

Aside from devbox info <package-name>, it is difficult to get any more details on a package and I don't think matching up the descriptions is sufficient.

What solution would you like?

I'd like to get access to the official page for a package and its related links via the CLI. e.g. nixos.org provides a ref to the package's source code, its author and the official project home page. Before using it, I'd like to verify the package crypotographically to make sure it hasn't been tampered with and that it is the package I intended to use.

If we can make it easy to verify a package from a local installation, to Nix, to the project's source then it could improve adoption.

*Apologies if there is some naivety. I'm not invested in Nix. Perhaps there is already a way to do this? If someone could share how that'd be very appreciated.

Alternatives you've considered

Investing more time into understanding Nix. I'm not inclined to do this as I understand this is what devbox is trying to solve.