[Nix-dev] Signing source packages
Tim Barbour
trb at categorical.net
Tue Feb 3 00:54:04 CET 2015
At Mon, 2 Feb 2015 15:45:31 +0000,
Daniel Shahaf wrote:
> [ tl;dr: NixOS should sign any code that makes it into users' systems. ]
> [...]
> I would therefore suggest that NixOS starts signing any code that gets
> installed on users' machines, and that Nix should, by default, verify
> signature against a set of trusted keys and refuse to install packages
> that fail to verify. By comparison, most distros sign everything, from
> .iso images onwards.
>
> Part of this has been implemented: verification of binary packages has
> been implemented last year [1], however, it is off by default. (Thanks
> to Lethalman on IRC for this information.)
>
> I'm suggesting that as an interested potential user; I don't run NixOS
> at the moment. (And not having signed packages makes it harder for me
> to choose it over alternatives.)
I would like to see this too. I do run NixOS.
Tim
More information about the nix-dev
mailing list