[Nix-dev] (signed) manifest vs signed nars
Yury G. Kudryashov
urkud.urkud at gmail.com
Wed Jan 4 18:29:27 CET 2012
Hi!
Currently a non-root user can download&install a binary package instead of
building from source in two cases:
1. There exists a manifest that contains a link to this binary package.
2. The .nar file is PGP-signed by a 'trusted' store.
The first approach has a few downsides:
a. I need root priviledges to update the list of available binary packages
(not only "bless" buildfarm, but every update!).
b. Root has to download large MANIFEST file that contains a lot of useless
information. It is a pain unless one has a fast Internet connection.
I see no way to workaround these problems.
The second one has the following downsides:
a. Hydra does not sign its nars.
b. `nix-store -r` does not support automatic downloading of signed nars
during build.
Both seem to be (easily) fixable. I'm ready to fix the second one. Eelco and
Rob, could you please let hydra sign its nars? Or even better let hydra
produce detached signatures so that one can do `nix-store --export; download
binary patch and signature; nix-store --import` ?
--
Yury G. Kudryashov,
mailto: urkud at mccme.ru
More information about the nix-dev
mailing list