[Nix-dev] Re: NIX_OTHER_STORES and security?

[Ludovic Courtès]

Hi,

Marc Weber <marco-oweber at gmx.de> writes:

> What happens if a user subscribes to a channel which contains malicious
> packages? I mean if the user installs a malicious package this way and
> the sysadmin does so as well but maybe two days later. Then the sysadmin
> won't install anything but reuse the existing (manipulated) store path..
>
> Am I missing a point here?

Yes, `nix-pull' must be run as root currently, since
`/nix/var/nix/manifests' is not world-writable.

Thanks,
Ludo'.