Actually, that’s an interesting question. I always assumed they were signed
(AFAIK `nix-store` is able to check signatures contained inside NAR-files),
but now I wonder how does hydra.cryp.to sign NAR’s…
On Thu, Apr 16, 2015 at 9:09 PM Ertugrul Söylemez wrote:
> Hi Kirill,
>
> nix-env \
> --option extra-binary-caches https://hydra.nixos.org \
> --option extra-binary-caches https://hydra.cryp.to \
> -iA nixos.pkgs.hsEnv
> >
> > Might it be the case that you are running nix in daemon mode and thus it
> > ignores `binary-caches`?
>
> That did it! Since I'm running NixOS I am indeed running nix-daemon.
> The following setting did the trick:
>
> nix.binaryCaches = [
> "https://cache.nixos.org/";
> "https://hydra.nixos.org/";
> ];
>
> Thanks a lot!
>
> Unfortunately hydra.cryp.to does not seem to support TLS. That's why I
> left it out. But that raises an interesting question: Where do the
> hash values for the binary packages come from?
>
> At this point since we lack deterministic builds I would assume that
> they come from the same host that delivers the substitutes. A related
> question is: Are the hashes signed?
>
> If the hashes are not trusted, then a plain-text connection would be a
> huge security risk regardless of whether you trust the host. Even a
> malicious user or an infected machine on your local network could
> replace binary packages on their way and get arbitrary code onto your
> machine.
>
>
> Greets,
> Ertugrul
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
