| 27 Jun 2026 |
hexa | applying to mimas | 11:58:31 |
emily | transparency logging too | 11:58:48 |
hexa | you want it all | 11:59:13 |
hexa | do you also want certificates instead of pubkeys? | 11:59:23 |
emily | no, PKI sucks :) | 11:59:36 |
hexa | ah, so this is where you draw the line, interesting :p | 11:59:49 |
emily | though builder attestation yes | 11:59:58 |
hexa | and key expiry? | 12:00:35 |
emily | probably we can just do most things via nix.conf management is the thing | 12:01:20 |
emily | having a long term root key might not make that much sense | 12:01:37 |
emily | admittedly for non-NixOS/nix-darwin the story is less clear | 12:01:54 |
emily | you can imagine it happening through nix update-nix though | 12:02:16 |
emily | just bundle a rolling window of keys in the package | 12:02:29 |
hexa | update-nix is really annoying | 12:02:36 |
hexa | ideally you could pull the current public key from a trusted location | 12:03:13 |
hexa | would be mildly annoying if yo uwanted old packages though | 12:03:34 |
emily | and how do you trust that location? :P | 12:04:21 |
hexa | maybe it is hosted next to the queue-runner | 12:05:03 |
Mic92 | In reply to @hexa:lossy.network Mic92 lgtm, do you want to double-check? I check in an hour | 12:05:05 |
hexa | publicly exposed on hydra.nixos.org | 12:05:08 |
emily | but yeah "key signs the next one" in some form or another is ultimately what you get. it doesn't necessarily mean teaching Nix about certificates though | 12:05:10 |
hexa | already deployed, sorry :) | 12:05:17 |
emily | right I just mean you can't just trust TLS or w/e | 12:05:23 |
emily | because then you might as well skip the key | 12:05:36 |
hexa | we should get DNSSEC | 12:05:42 |
hexa | that shit is so complicated that attackers tend to forget it is in place | 12:06:00 |
emily | if you secure the transit enough that you feel you can trust any key coming down the wire then you don't need to sign the packages at all | 12:06:20 |
emily | tlog as key distribution mechanism would work though :) | 12:06:56 |
Mic92 | In reply to @hexa:lossy.network already deployed, sorry :) Okay should be fine | 12:07:27 |
Eli Saado | it depends on the threat model, transit can be very secure but if the server serving the packages is compromised an attacker can still serve malware if packages aren't signed | 12:07:27 |