[Nix-dev] Binary trust (was: Haskell NG: Still no binaries)
Kirill Elagin
kirelagin at gmail.com
Thu Apr 16 21:11:35 CEST 2015
Actually, that’s an interesting question. I always assumed they were signed
(AFAIK `nix-store` is able to check signatures contained inside NAR-files),
but now I wonder how does hydra.cryp.to sign NAR’s…
On Thu, Apr 16, 2015 at 9:09 PM Ertugrul Söylemez <ertesx at gmx.de> wrote:
> Hi Kirill,
>
> >>>> nix-env \
> >>>> --option extra-binary-caches https://hydra.nixos.org \
> >>>> --option extra-binary-caches https://hydra.cryp.to \
> >>>> -iA nixos.pkgs.hsEnv
> >
> > Might it be the case that you are running nix in daemon mode and thus it
> > ignores `binary-caches`?
>
> That did it! Since I'm running NixOS I am indeed running nix-daemon.
> The following setting did the trick:
>
> nix.binaryCaches = [
> "https://cache.nixos.org/"
> "https://hydra.nixos.org/"
> ];
>
> Thanks a lot!
>
> Unfortunately hydra.cryp.to does not seem to support TLS. That's why I
> left it out. But that raises an interesting question: Where do the
> hash values for the binary packages come from?
>
> At this point since we lack deterministic builds I would assume that
> they come from the same host that delivers the substitutes. A related
> question is: Are the hashes signed?
>
> If the hashes are not trusted, then a plain-text connection would be a
> huge security risk regardless of whether you trust the host. Even a
> malicious user or an infected machine on your local network could
> replace binary packages on their way and get arbitrary code onto your
> machine.
>
>
> Greets,
> Ertugrul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150416/ad4f63a3/attachment.html
More information about the nix-dev
mailing list