[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

Jookia 166291 at gmail.com
Fri Jun 17 17:29:49 CEST 2016


On Fri, Jun 17, 2016 at 03:01:00PM +0000, zimbatm wrote:
> I don't mean to say that GPG is a bad idea. It just that using SSL is a
> better idea unless we nail the GPG bit. Not everyone is getting
> state-sponsored attacks.

TLS and GPG aren't mutually exclusive, you can use both. It's also worth noting
that states aren't the only people attacking TLS: Tor exit nodes like to do it
too. It does trouble me that there's no way to really verify that I have a copy
of Nix that the maintainers have. Right now I check out with an unverified Git
repository which isn't much better either. It'd be nice to at least try to have
verification.


More information about the nix-dev mailing list