[Nix-dev] Re: Per-user package installations
Ludovic Courtès
ludovic.courtes at laas.fr
Wed Aug 22 19:11:14 CEST 2007
Hi,
Eelco Dolstra <eelco at cs.uu.nl> writes:
> Nix-env certainly doesn't require root access, if Nix is configured in the right
> way. (And "the right way" isn't documented yet, but NixOS is set up that way -
> any user can install software. I'll update the manual for the Nix 0.11 release
> soon.)
Then I'll stay tuned. ;-)
> In principle nix-channel could also work per user - the only problem is that
> nix-channel does a nix-pull to get a list of pre-built binaries, and that's a
> privileged operation that only root can do. The reason for this is that
> otherwise a user could register some bogus binary that doesn't correspond to its
> purported derivation (the source build action from which the binary was
> supposedly produced). Building from source is safe because users cannot
> influence builds (they're executed under a different, unique uid).
Does skipping `nix-pull' mean building from source, at least in the
event where no list of pre-built store paths is already available?
> There is a paper about the Nix security model:
>
> http://people.cs.uu.nl/eelco/pubs/secsharing-ase2005-final.pdf
Thanks for pointing it out.
> The current model is described in section 3.
Does `nix-env -i' actually asks a daemon running as the global Nix user
to "build" on its behalf, as described in Section 3?
I guess I'm not yet very familiar with Nix...
Thanks,
Ludovic.
More information about the nix-dev
mailing list