Vladimír Čunát wrote: > Hi. > On 19 February 2011 08:00, Yury G. Kudryashov <[email protected]> wrote: >> Is it hard to let hydra sign .nar archives? If hydra-created .nar >> archives will be signed, a user without root access (hence, without >> priveledges to do nix-channel --update) will be able to download & >> nix-store --import these nars. > > Yes, I believe this is the way to go in future. Administator should > only be required to list the allowed substitution sources. I don't > think it'll be difficult to make hydra sign the archives and make the > substitute script check them. If you're interested in it, you can try > to implement it. I doubt anyone would object to such a feature. The main point is not to use substituters for downloading but to download&import. Substituters are executed by nix-daemon and must be registered by root.
With my solution (not really mine; nix-store already supports it, but neither hydra nor nix-build doesn't) root only needs to "bless" hydra's public key once, then users will be able to install binary packages produced by hydra using just curl&nix-store --import. Of course, later nix-build should automatically ask hydra for available packages (e.g., by fetching manifest) but this should happen on the *client* side, not on the nix-daemon side. _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
