[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

zimbatm zimbatm at zimbatm.com
Fri Jun 17 17:46:02 CEST 2016


On Fri, 17 Jun 2016 at 16:35 Jookia <166291 at gmail.com> wrote:

> On Fri, Jun 17, 2016 at 03:01:00PM +0000, zimbatm wrote:
> > I don't mean to say that GPG is a bad idea. It just that using SSL is a
> > better idea unless we nail the GPG bit. Not everyone is getting
> > state-sponsored attacks.
>
> TLS and GPG aren't mutually exclusive, you can use both. It's also worth
> noting
> that states aren't the only people attacking TLS: Tor exit nodes like to
> do it
> too. It does trouble me that there's no way to really verify that I have a
> copy
> of Nix that the maintainers have. Right now I check out with an unverified
> Git
> repository which isn't much better either. It'd be nice to at least try to
> have
> verification.
>

I suppose we could distribute the installation script as part of a hydra
build. That way it would be signed like the rest of the packages. It does
suppose that the build hosts aren't compromised though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/467bec8e/attachment.html>


More information about the nix-dev mailing list