On Sat, Jun 11, 2011 at 21:27, Michael Raskin <[email protected]> wrote: >>Hi list, >> >>I think most of you are aware of the problem. The problem is that >>the content of the nix store is public. So if password are part of >>derivations or parts of the build result, they would appear in as >>readable inside the nix store. >> >>In NixOS, to work around this issue, we have to either pass filenames >>with double quotes, to escape from the copy of the file into the nix >>store. This has 2 disadvantages. The first one is that most of the >>options do not ensure that you cannot give a path to them. The second >>one is that this prevent us for creating abstractions over the content >>of the configuration file in order to ensure consistence of configuration >>files. >> >>We have multiple solutions to handle this problem. > > n+1/ encryption. See gw6c service. On launch, you access properly secured > private key, optionally check that the public key in store matches, and > write real config with sane permissions by decrypting what is in store.
I think that your derivation file contains the plain version of your ciphered output. I second the comment of Eelco which is contained in the gw6c service. -- Nicolas Pierron http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/ _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
