Hi, On 22/05/13 15:19, Lluís Batlle i Rossell wrote:
>> How about: rather than relying on nix-cache-info, nix.conf should specify a >> list >> of fingerprints of trusted OpenPGP signing keys. Then when we fetch a >> .narinfo, >> we check whether it is signed by a trusted key. This way you don't have the >> problem Lluís described. > > Well, if we use gpg, gpg has its own system of trust, too. Or it's about not > using gpg? Now that you mention it, it would probably be better to use OpenSSL than GnuPG, given that we already have a (optional) dependency on OpenSSL, while GnuPG would be a fairly big new dependency. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
