[Nix-dev] Binary trust (was: Haskell NG: Still no binaries)
Ertugrul Söylemez
ertesx at gmx.de
Thu Apr 16 20:09:40 CEST 2015
Hi Kirill,
>>>> nix-env \
>>>> --option extra-binary-caches https://hydra.nixos.org \
>>>> --option extra-binary-caches https://hydra.cryp.to \
>>>> -iA nixos.pkgs.hsEnv
>
> Might it be the case that you are running nix in daemon mode and thus it
> ignores `binary-caches`?
That did it! Since I'm running NixOS I am indeed running nix-daemon.
The following setting did the trick:
nix.binaryCaches = [
"https://cache.nixos.org/"
"https://hydra.nixos.org/"
];
Thanks a lot!
Unfortunately hydra.cryp.to does not seem to support TLS. That's why I
left it out. But that raises an interesting question: Where do the
hash values for the binary packages come from?
At this point since we lack deterministic builds I would assume that
they come from the same host that delivers the substitutes. A related
question is: Are the hashes signed?
If the hashes are not trusted, then a plain-text connection would be a
huge security risk regardless of whether you trust the host. Even a
malicious user or an infected machine on your local network could
replace binary packages on their way and get arbitrary code onto your
machine.
Greets,
Ertugrul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150416/a37d11ca/attachment.bin
More information about the nix-dev
mailing list