Hi Kirill, > Actually, that’s an interesting question. I always assumed they were > signed (AFAIK `nix-store` is able to check signatures contained inside > NAR-files), but now I wonder how does hydra.cryp.to sign NAR’s…
it's my understanding that the content from binary caches is not signed in any meaningful way. If you're downloading pre-compiled binaries from hydra.cryp.to or anywhere else, then you're living in the Wild West, essentially. Anyone with the ability to mess with those machines (or the transport layer between you and the cache) can inject trojan horses into your system as they please. Best regards, Peter _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
