[Nix-dev] Malicious installation methods

Profpatsch mail at profpatsch.de
Sat Jun 18 23:18:01 CEST 2016


On 16-06-18 05:27pm, Michiel Leenaars wrote:
> Regarding the installer: it would be cool to have something like 
> http://appimage.org, http://orbital-apps.com, http://flatpak.org or
> http://snapcraft.io instead of a shell script. That would have a SHA
> that could be verified, etc.

It would be kind of ironic to use the exact opposite of what nix is
trying to achieve to distribute nix.

The best way to distribute nix would be a distro package that bootstraps
nix (nix should be self-updatable afterwards I think), either into /nix
or into /<something>/nix with an overlayfs.

The script approach is not very bad. Maybe sign it with gpg for people
who want to verify it.

-- 
Proudly written in Mutt with Vim on NixOS.
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
May take up to five days to read your message. If it’s urgent, call me.


More information about the nix-dev mailing list