On Fri, 17 Jun 2016 at 16:35 Jookia <[email protected]> wrote: > On Fri, Jun 17, 2016 at 03:01:00PM +0000, zimbatm wrote: > > I don't mean to say that GPG is a bad idea. It just that using SSL is a > > better idea unless we nail the GPG bit. Not everyone is getting > > state-sponsored attacks. > > TLS and GPG aren't mutually exclusive, you can use both. It's also worth > noting > that states aren't the only people attacking TLS: Tor exit nodes like to > do it > too. It does trouble me that there's no way to really verify that I have a > copy > of Nix that the maintainers have. Right now I check out with an unverified > Git > repository which isn't much better either. It'd be nice to at least try to > have > verification. >
I suppose we could distribute the installation script as part of a hydra build. That way it would be signed like the rest of the packages. It does suppose that the build hosts aren't compromised though.
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
