В письме от Вторник 25 июня 2013 15:40:11 пользователь Marc Weber написал: > Hi Evgeny Egorochkin, > > I've created this page long time ago: > https://nixos.org/wiki/Nix_impurities > > So how do you exactly "fix" those impurities?
Not all these impurities need to be fixed. In fact it's enough to simply terminate the build if it does something really unusual and ask the user to patch it. If the build system really wants to break purity, it can launch a benchmarking attack anyway. But then again such a build system can be quickly found and patched assuming that 99.9% of other packages build reliably. I have hard time coming up with any way to weaponize benchmarking. It can be used to roughly identify the building machine.If the number of users is small, it can compile in a backdoor targetted to a paranoid user who compiles everything from source if this user's hardware config is known and unique. But this requires that the source code is already compromised so all these tricks are probably useless. > Maybe consider updating that wiki adding a line > "fixed by doing X" As I said, I'd rather identify the rare build that does most of those nasty things and fix it. I would try intercepting and sanitizing date, uname, /proc/meminfo. let file access to the build dir and nix store flow freely and abort for everything else +- some minor tweaks. Shouldn't be too hard and would cover a very large subset of builds. There might be some nastiness with tests though :( _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev