[Nix-dev] Nix(OS) and passwords ? builtins.writeFileToPath proposal
Michael Raskin
7c6f434c at mail.ru
Sun Dec 27 11:24:03 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marc Weber wrote:
> a) We don't want root to run the build (too unsafe)
>
> c) We want to run
> nix-build release.nix -A live_cd
> which may contain passwords.
There are three users:
1) calling user
2) store owner
3) build user (never coincides with previous ones)
There are some stages:
1) reading expressions
2) evaluating expressions
3) writing derivations
4) reading derivations
5) preparing the build
6) running the build
7) post-processing the build output (changing permissions, finding
dependencies)
It would be reasonable, that (1, 2) are done by (1), (3,4,5,7) by (2)
and (6) by (3).
I guess we could have "derivationSecret" and "owners" derivation
properties. If they are set, derivation is only readable by store owner;
only direct builds by store owner or local builds via Nix daemon by
users with names in "owners" list should go on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJLNzXBAAoJEE6tnN0aWvw3KmUH/1CsICd8dsz+GyjjA2vdNK5E
tghuULkxrB81KkcdVEH6sUopr1UBs3uOpQmonxXDwzhf+QrNhHIHBo5m/r6xRwZY
8D1QCYqlsxCGwVcdMiJ6tQ1mT0p3Qm2VBlKIzvr2mNYki1agUIiu8TAgGFNUVmvs
P2/GQqG5m4HKL0hrfRLrwZ1Hhi1WR2PP2coqAPz4VfFd0bWk4IZ10Yzqyzc/p6UD
v62mYgG6dV9tQkIathI4KtC7V79MPhLlXwksJF6ZqbAL0pihnAo0dH8HEX9tshmN
mF8sCb1lDdCszZUxmuMN58HYsWGkUfiZGC/mDmSEbr1trG7aDHRMPMR2+v9am7U=
=yz3V
-----END PGP SIGNATURE-----
More information about the nix-dev
mailing list