just making sure you're up to date with discussions going on @ https://github.com/NixOS/nix/issues/969, https://github.com/NixOS/ofborg/issues/68, https://github.com/NixOS/rfcs/pull/171 (towards bottom of each thread)
short version: the fact that a FOD will quite blindly trust a cached outpath introduces a potential cache-poisoning attack for nixpkgs if someone is able to get their malicious outpath included (somehow) in cache.nixos.org
ris_