On Fri, 17 Jun 2016 at 14:56 Yui Hirasawa <[email protected]> wrote: > > One improvement would be to sign the actual script with an offline key > > but while that would be safer the current method is perfectly fine. > > The current method isn't fine at all. > > Here is a quote from the #nix channel: > > > kmicu: Tsutsukakushi: I told ya so… security is not a priority here. > > Fell free to try to improve security in Nix world, but you are better > > off with Guix. They even don’t trust compilers w/o bootstrapping from > > the source option :) >
Let's compare it with Guix then: Go to https://www.gnu.org/software/guix/download/ First of all, it's not clear how to install Guix. You can download the archive and poke inside or got to the installation instructions: https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html There you are instructed to fetch both the archive *and* the signature from the same origin, over FTP. And then use gpg to check the archive against the signature. Assuming a MITM it's already game over here, the MITM doesn't even have to control one of the CAs. There is also an alternative verification method: `gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5`. Assuming a MITM, keys.gnupg.net is accessed in clear. And generating a GPG key with the same key ID is trivial. So game over again. At that point there are still two pages of instructions to follow to get guix installed, with no additional security benefits. == I don't mean to say that GPG is a bad idea. It just that using SSL is a better idea unless we nail the GPG bit. Not everyone is getting state-sponsored attacks.
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
