2024-10-26 –, Arena
Nix build expressions will often rely on other expressions as dependencies, most commonly Nixpkgs. However, those could be modified by machine-in-the-middle attacks. Providing users with the means to verify cryptographic signatures on expressions could relieve this attack vector and strengthen Nix' resilience.
This talk will discuss update verification for Nix and NixOS with a focus on Git signatures. It will explain Guix' authentication mechanism and RFC 100 as an attempt to bring it to Nixpkgs. Subsequently, it will sketch out potential paths forward, considering use cases and additional burdens on developers.
Intermediate Nix users. A basic understanding of Nix' update mechanisms (channels, flakes, fetchers) and Git will be required.
