!RROtHmAaQIkiJzJZZE:nixos.org

NixOS Infrastructure

483 Members
Next Infra call: 2024-07-11, 18:00 CEST (UTC+2) | Infra operational issues backlog: https://github.com/orgs/NixOS/projects/52 | See #infra-alerts:nixos.org for real time alerts from Prometheus.151 Servers

Load older messages


SenderMessageTime
27 Jun 2026
@hexa:lossy.networkhexaapplying to mimas11:58:31
@emilazy:matrix.orgemilytransparency logging too11:58:48
@hexa:lossy.networkhexayou want it all11:59:13
@hexa:lossy.networkhexado you also want certificates instead of pubkeys?11:59:23
@emilazy:matrix.orgemilyno, PKI sucks :)11:59:36
@hexa:lossy.networkhexaah, so this is where you draw the line, interesting :p11:59:49
@emilazy:matrix.orgemilythough builder attestation yes11:59:58
@hexa:lossy.networkhexaand key expiry?12:00:35
@emilazy:matrix.orgemilyprobably we can just do most things via nix.conf management is the thing12:01:20
@emilazy:matrix.orgemilyhaving a long term root key might not make that much sense12:01:37
@emilazy:matrix.orgemilyadmittedly for non-NixOS/nix-darwin the story is less clear12:01:54
@emilazy:matrix.orgemilyyou can imagine it happening through nix update-nix though12:02:16
@emilazy:matrix.orgemilyjust bundle a rolling window of keys in the package12:02:29
@hexa:lossy.networkhexaupdate-nix is really annoying12:02:36
@hexa:lossy.networkhexaideally you could pull the current public key from a trusted location12:03:13
@hexa:lossy.networkhexawould be mildly annoying if yo uwanted old packages though12:03:34
@emilazy:matrix.orgemilyand how do you trust that location? :P12:04:21
@hexa:lossy.networkhexamaybe it is hosted next to the queue-runner12:05:03
@joerg:thalheim.ioMic92
In reply to @hexa:lossy.network
Mic92 lgtm, do you want to double-check?
I check in an hour
12:05:05
@hexa:lossy.networkhexapublicly exposed on hydra.nixos.org12:05:08
@emilazy:matrix.orgemilybut yeah "key signs the next one" in some form or another is ultimately what you get. it doesn't necessarily mean teaching Nix about certificates though12:05:10
@hexa:lossy.networkhexaalready deployed, sorry :)12:05:17
@emilazy:matrix.orgemilyright I just mean you can't just trust TLS or w/e12:05:23
@emilazy:matrix.orgemilybecause then you might as well skip the key12:05:36
@hexa:lossy.networkhexawe should get DNSSEC12:05:42
@hexa:lossy.networkhexathat shit is so complicated that attackers tend to forget it is in place12:06:00
@emilazy:matrix.orgemilyif you secure the transit enough that you feel you can trust any key coming down the wire then you don't need to sign the packages at all12:06:20
@emilazy:matrix.orgemilytlog as key distribution mechanism would work though :)12:06:56
@joerg:thalheim.ioMic92
In reply to @hexa:lossy.network
already deployed, sorry :)
Okay should be fine
12:07:27
@elisaado:elisaado.comEli Saado it depends on the threat model, transit can be very secure but if the server serving the packages is compromised an attacker can still serve malware if packages aren't signed 12:07:27

Show newer messages


Back to Room ListRoom Version: 6