[Nix-dev] Haskell NG: Still no binaries
Ertugrul Söylemez
ertesx at gmx.de
Thu Apr 16 22:26:56 CEST 2015
> > That did it! Since I'm running NixOS I am indeed running
> > nix-daemon. The following setting did the trick:
> >
> > nix.binaryCaches = [
> > "https://cache.nixos.org/"
> > "https://hydra.nixos.org/"
> > ];
>
> IMHO, "nix-env" should pass those options on to the daemon, i.e. it
> should not be necessary to hard-code hydra.cryp.to as a global binary
> cache for this to work.
Actually I'm not sure whether this is such a good idea. If it did, it
would be a backdoor into fellow system users. An attacker could
construct a Nix expression that matches exactly another system user's
expression. Then the attacker builds it, but they tell Nix that they
have a binary cache available for it, which delivers an infected version
of the derivation.
When the other system user tries to build the same expression, they find
that it is already built, but it is actually the infected substitute
injected by the attacker.
> Just out of curiosity, did you configure
>
> nix.trustedBinaryCaches = [ http://hydra.nixos.org http://hydra.cryp.to ];
>
> in your configuration.nix?
I didn't. Now that you mention it I briefly remember Nix telling me
something about the untrusted binary cache. I just ignored it, assuming
that Nix would go ahead and use it anyway. I will try with that
setting.
But yes, because of the above it's totally sensible that Nix doesn't
just use any cache that you tell it to use.
Thanks!
Greets,
Ertugrul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150416/41314df0/attachment.bin
More information about the nix-dev
mailing list