[Nix-dev] Question on package signing and security?

[Matthias Beyer]

Hi,

How is package signing this done by nix and how does it work for nixpkgs/nixos?
I'm searching for resources on this because of my bachelors thesis and I'm not
quite sure nix already does signing and the like.

So all the "big" package managers (apt, yum, pacman,...) do some gpg foo to sign
packages. How does this work in a nix context? Do we sign packages? Does nix
verify signatures? Do we sign expressions?

Is there any literature out there? I'm starting reading Eelcos papers now, maybe
I can find something in there...

(The context I'm asking this in is for traceability and auditability, my thesis
focuses on Agent based intrusion detection systems and how they do software
installations.)

-- 
Mit freundlichen Grüßen,
Kind regards,
Matthias Beyer

Proudly sent with mutt.
Happily signed with gnupg.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160328/b0da87eb/attachment.bin