[Nix-dev] Re: hydra & signing
Yury G. Kudryashov
urkud+nix at ya.ru
Wed Feb 23 07:48:26 CET 2011
Vladimír Čunát wrote:
> Hi.
> On 19 February 2011 08:00, Yury G. Kudryashov <urkud+nix at ya.ru> wrote:
>> Is it hard to let hydra sign .nar archives? If hydra-created .nar
>> archives will be signed, a user without root access (hence, without
>> priveledges to do nix-channel --update) will be able to download &
>> nix-store --import these nars.
>
> Yes, I believe this is the way to go in future. Administator should
> only be required to list the allowed substitution sources. I don't
> think it'll be difficult to make hydra sign the archives and make the
> substitute script check them. If you're interested in it, you can try
> to implement it. I doubt anyone would object to such a feature.
The main point is not to use substituters for downloading but to
download&import. Substituters are executed by nix-daemon and must be
registered by root.
With my solution (not really mine; nix-store already supports it, but
neither hydra nor nix-build doesn't) root only needs to "bless" hydra's
public key once, then users will be able to install binary packages produced
by hydra using just curl&nix-store --import. Of course, later nix-build
should automatically ask hydra for available packages (e.g., by fetching
manifest) but this should happen on the *client* side, not on the nix-daemon
side.
More information about the nix-dev
mailing list