On Fri, Jun 17, 2016 at 03:01:00PM +0000, zimbatm wrote: > I don't mean to say that GPG is a bad idea. It just that using SSL is a > better idea unless we nail the GPG bit. Not everyone is getting > state-sponsored attacks.
TLS and GPG aren't mutually exclusive, you can use both. It's also worth noting that states aren't the only people attacking TLS: Tor exit nodes like to do it too. It does trouble me that there's no way to really verify that I have a copy of Nix that the maintainers have. Right now I check out with an unverified Git repository which isn't much better either. It'd be nice to at least try to have verification. _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev