[Nix-dev] Re: hydra & signing

Yury G. Kudryashov urkud+nix at ya.ru
Wed Feb 23 07:48:26 CET 2011


Vladimír Čunát wrote:

> Hi.
> On 19 February 2011 08:00, Yury G. Kudryashov <urkud+nix at ya.ru> wrote:
>> Is it hard to let hydra sign .nar archives? If hydra-created .nar
>> archives will be signed, a user without root access (hence, without
>> priveledges to do nix-channel --update) will be able to download &
>> nix-store --import these nars.
> 
> Yes, I believe this is the way to go in future. Administator should
> only be required to list the allowed substitution sources. I don't
> think it'll be difficult to make hydra sign the archives and make the
> substitute script check them. If you're interested in it, you can try
> to implement it. I doubt anyone would object to such a feature.
The main point is not to use substituters for downloading but to 
download&import. Substituters are executed by nix-daemon and must be 
registered by root.

With my solution (not really mine; nix-store already supports it, but 
neither hydra nor nix-build doesn't) root only needs to "bless" hydra's 
public key once, then users will be able to install binary packages produced 
by hydra using just curl&nix-store --import. Of course, later nix-build 
should automatically ask hydra for available packages (e.g., by fetching 
manifest) but this should happen on the *client* side, not on the nix-daemon 
side.




More information about the nix-dev mailing list