[Nix-dev] Signing source packages
Wout Mertens
wout.mertens at gmail.com
Tue Feb 3 12:19:50 CET 2015
About the signed binaries, I opened
https://github.com/NixOS/nixos-org-configurations/issues/8 but someone
needs to do the footwork and even though I'd gladly do it I don't have the
requisite permissions.
As for the rest, if you want to reduce security risk you can simply
disallow binary substitution, so it will build everything locally from the
checksummed sources. Then you only need to trust the nixpkgs git repository
and the original sources.
Wout.
On Tue Feb 03 2015 at 12:54:17 AM Tim Barbour <trb at categorical.net> wrote:
> At Mon, 2 Feb 2015 15:45:31 +0000,
> Daniel Shahaf wrote:
> > [ tl;dr: NixOS should sign any code that makes it into users' systems. ]
> > [...]
> > I would therefore suggest that NixOS starts signing any code that gets
> > installed on users' machines, and that Nix should, by default, verify
> > signature against a set of trusted keys and refuse to install packages
> > that fail to verify. By comparison, most distros sign everything, from
> > .iso images onwards.
> >
> > Part of this has been implemented: verification of binary packages has
> > been implemented last year [1], however, it is off by default. (Thanks
> > to Lethalman on IRC for this information.)
> >
> > I'm suggesting that as an interested potential user; I don't run NixOS
> > at the moment. (And not having signed packages makes it harder for me
> > to choose it over alternatives.)
>
> I would like to see this too. I do run NixOS.
>
> Tim
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150203/edbea2f7/attachment.html
More information about the nix-dev
mailing list