Hacker News new | ask | show | jobs
by slapslash 1585 days ago
If there can be a „digital supply chain“ attack on packages, why shouldn‘t that be the case for the sources too?
1 comments
bpye 1585 days ago
When you list the sources for a Nix package you also have to specify the hash expected. If it pulls the sources and the hash doesn't match then the package will fail to build.
link
slapslash 1585 days ago
Ahh, I see. But couldn‘t the hash then also be used on the packages themselves?
link
rgoulter 1585 days ago
The package in the cache which it's downloaded from?

I think so. It would be a bit more involved that "replace the package for gcc-11". The packages are addressed by the inputs which built them.

There has been some effort towards supporting content-addressable storage. https://www.tweag.io/blog/2020-09-10-nix-cas/ https://edolstra.github.io/pubs/secsharing-ase2005-final.pdf

link