Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-10 Thread Matthias Beyer
On 10-03-2016 07:43:00, Kevin Cox wrote: > On Mar 10, 2016 5:28 AM, "Eelco Dolstra" > wrote: > > > > > > In the future Nix will probably store binary cache signatures in its > database, > > and provide a command to check local paths against binary caches. > > > > The

Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-10 Thread Kevin Cox
On Mar 10, 2016 5:28 AM, "Eelco Dolstra" wrote: > > > In the future Nix will probably store binary cache signatures in its database, > and provide a command to check local paths against binary caches. > The problem with this is that if you are running a local command

Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-10 Thread Eelco Dolstra
Hi, On 09/03/16 15:58, Matthias Beyer wrote: > I have a question. When calling `nix-store --verify-path > /nix/store/something`, > it verifies that the contents of the store path haven't been altered by an > attacker or some other corruption like bitflips or something, am I right? > > It does

Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-09 Thread Vladimír Čunát
On 03/09/2016 04:20 PM, Matthias Beyer wrote: > It is not clearly stated what database this is, as far as I can tell. I believe it has to be /nix/var/nix/db/. Note that if an attacker compromised your system (such as libc etc.), you can *not* trust what your compromised nix-store ... returns,

Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-09 Thread Matthias Beyer
I'm referring to the database which is referred to by the manpage of nix-store, section on "--verify". It is not clearly stated what database this is, as far as I can tell. On 10-03-2016 02:02:24, Roger Qiu wrote: > The database you're referring to is the nixpkgs repository/channel right? > On

Re: [Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-09 Thread Roger Qiu
The database you're referring to is the nixpkgs repository/channel right? On 10/03/2016 1:59 AM, "Matthias Beyer" wrote: > Hi, > > I have a question. When calling `nix-store --verify-path > /nix/store/something`, > it verifies that the contents of the store path haven't

[Nix-dev] When calling nix-store --verify-path - How to know the hash database is not corrupt?

2016-03-09 Thread Matthias Beyer
Hi, I have a question. When calling `nix-store --verify-path /nix/store/something`, it verifies that the contents of the store path haven't been altered by an attacker or some other corruption like bitflips or something, am I right? It does so by comparing the hashsum of the directory contents