| 17 Aug 2021 |
 @vherrmann:shmerver.de | I mean the first key: https://github.com/divnix/devos/blob/079adc4474231d5582fee5574bc5bcc6f133e5ac/flake.nix#L6 | 15:21:46 |
| @vherrmann:shmerver.de | or do i misunderstand the cachix architecture? | 15:22:02 |
 @timdeh:matrix.org | that's not my gpg key | 15:22:10 |
| @timdeh:matrix.org | that's a cache key | 15:22:14 |
| @timdeh:matrix.org | the cache is there to help alleviate building artifacts from the template | 15:22:32 |
| @timdeh:matrix.org | The source for all the packages is right there in the repo so you don't really have to trust me 😉 | 15:22:51 |
| @vherrmann:shmerver.de | In reply to @blaggacao:matrix.org
Does this mean there is a regression w.r.t. new flake-utils-plus versions? digga comes with a locked version and I think we haven't run any tests with a different one. no, i didn't mess with diggas inputs | 15:24:40 |
| @vherrmann:shmerver.de | nrdxp: Well, when i use the cache key, i have to trust you (though i have to that as well, if i just use digga/devos/etc.) | 15:28:52 |
| @vherrmann:shmerver.de | It's just that it's easier to mess with binaries | 15:29:24 |
| @timdeh:matrix.org | Because of the way nix hashes packages, you would only have to trust me if source wasn't available. | 15:29:29 |
| @vherrmann:shmerver.de | but, whatever | 15:29:29 |
| @vherrmann:shmerver.de | hm | 15:29:39 |
| @vherrmann:shmerver.de | yes, with nix it's pretty easy to validate the packages | 15:30:00 |
| @timdeh:matrix.org | if I changed anything, it would change the hash, and it would be a cache miss | 15:30:08 |
| @vherrmann:shmerver.de | But for that i would have to build them, or not? | 15:30:12 |
| @vherrmann:shmerver.de | or no, as long as i trust cachix, i don't have to trust you, am i right? | 15:30:43 |
| @timdeh:matrix.org | no | 15:30:47 |
| @vherrmann:shmerver.de | so, you're saying i have to trust you? | 15:31:25 |
| @vherrmann:shmerver.de | hm | 15:33:15 |
| @vherrmann:shmerver.de | well anyways… | 15:33:33 |
| @vherrmann:shmerver.de | there are millions of other security issues with my setup | 15:34:06 |
| @vherrmann:shmerver.de | (Just like most setups have millions of security issues) | 15:37:57 |
| @timdeh:matrix.org | no I'm not | 15:38:10 |
| @timdeh:matrix.org | I'm saying if I changed anything, it would be a cache miss | 15:38:23 |
| @timdeh:matrix.org | (for you) | 15:38:33 |
| @timdeh:matrix.org | so if I take package A from DevOS and secretly modify a line, and upload the result in cachix, and then you come and download package A from DevOS, you will not download my modified version, because my version has a different hash, which without the source, you can't even calculate. | 15:39:32 |
| 18 Aug 2021 |
 David Arnold (blaggacao) | In reply to @vherrmann:shmerver.de
So its opt-out and not opt-in The config settings you refer to are opt-in. You will be explicitly asked by the cli if you trust them, and if you want to record that decision for future invokations. | 00:02:55 |
 ultranix | that would be.. opt in | 04:41:28 |
| @vherrmann:shmerver.de | lol, i forgot that | 05:17:58 |
| @vherrmann:shmerver.de | :S | 05:27:45 |
