[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

Yui Hirasawa yui at cock.li
Fri Jun 17 15:56:22 CEST 2016


>> Retrieving code straight from the internet and blindly executing is
>> never a good thing and you don't give any sort of recommendation for
>> the user to inspect the script before running it. This completely
>> defeats the point of having reproducible builds when your system can
>> be completely infected when you install the package manager. This
>> also means that anything installed through the package manager is
>> potentially malicious as well.
>>
>>> $ curl https://nixos.org/nix/install | sh
>>

> and the distribution method is over a verified channel

HTTPS is not a verified channel. Our current CA system is really fragile
and there is a large number of advesaries who could easily acquire a
fake certificate for nixos.org. This method is only verified if you
actually check that the certificate that was used for the TLS
connection is the correct one for nixos.org, and currently you have to
do that manually. Verifying the connection to nixos.org is more work
than verifying a GPG signature.

> One improvement would be to sign the actual script with an offline key
> but while that would be safer the current method is perfectly fine.

The current method isn't fine at all.

Here is a quote from the #nix channel: 

> kmicu: Tsutsukakushi: I told ya so… security is not a priority here.
> Fell free to try to improve security in Nix world, but you are better
> off with Guix. They even don’t trust compilers w/o bootstrapping from
> the source option :)


More information about the nix-dev mailing list