> > That did it! Since I'm running NixOS I am indeed running > > nix-daemon. The following setting did the trick: > > > > nix.binaryCaches = [ > > "https://cache.nixos.org/"; > > "https://hydra.nixos.org/"; > > ]; > > IMHO, "nix-env" should pass those options on to the daemon, i.e. it > should not be necessary to hard-code hydra.cryp.to as a global binary > cache for this to work.
Actually I'm not sure whether this is such a good idea. If it did, it would be a backdoor into fellow system users. An attacker could construct a Nix expression that matches exactly another system user's expression. Then the attacker builds it, but they tell Nix that they have a binary cache available for it, which delivers an infected version of the derivation. When the other system user tries to build the same expression, they find that it is already built, but it is actually the infected substitute injected by the attacker. > Just out of curiosity, did you configure > > nix.trustedBinaryCaches = [ http://hydra.nixos.org http://hydra.cryp.to ]; > > in your configuration.nix? I didn't. Now that you mention it I briefly remember Nix telling me something about the untrusted binary cache. I just ignored it, assuming that Nix would go ahead and use it anyway. I will try with that setting. But yes, because of the above it's totally sensible that Nix doesn't just use any cache that you tell it to use. Thanks! Greets, Ertugrul
signature.asc
Description: PGP signature
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
