Actually, that’s an interesting question. I always assumed they were signed (AFAIK `nix-store` is able to check signatures contained inside NAR-files), but now I wonder how does hydra.cryp.to sign NAR’s…
On Thu, Apr 16, 2015 at 9:09 PM Ertugrul Söylemez <ert...@gmx.de> wrote: > Hi Kirill, > > >>>> nix-env \ > >>>> --option extra-binary-caches https://hydra.nixos.org \ > >>>> --option extra-binary-caches https://hydra.cryp.to \ > >>>> -iA nixos.pkgs.hsEnv > > > > Might it be the case that you are running nix in daemon mode and thus it > > ignores `binary-caches`? > > That did it! Since I'm running NixOS I am indeed running nix-daemon. > The following setting did the trick: > > nix.binaryCaches = [ > "https://cache.nixos.org/"; > "https://hydra.nixos.org/"; > ]; > > Thanks a lot! > > Unfortunately hydra.cryp.to does not seem to support TLS. That's why I > left it out. But that raises an interesting question: Where do the > hash values for the binary packages come from? > > At this point since we lack deterministic builds I would assume that > they come from the same host that delivers the substitutes. A related > question is: Are the hashes signed? > > If the hashes are not trusted, then a plain-text connection would be a > huge security risk regardless of whether you trust the host. Even a > malicious user or an infected machine on your local network could > replace binary packages on their way and get arbitrary code onto your > machine. > > > Greets, > Ertugrul >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
