Add cache.nixos.org to trusted substituters by default #4306
Conversation
When a user is untrusted, Nix will only trust substituters that are in trusted-substituters. But users don’t always know if they are trusted or not by the Nix daemon, especially when sharing configs accross machines. So for example, a user has a nix.conf in $HOME/.config/nix/ that looks like this: substituters = https://cache.nixos.org https://my-custom-cache.cachix.org Nix will override the default substituters, but skip both with: warning: ignoring untrusted substituter ‘https://cache.nixos.org’ warning: ignoring untrusted substituter ‘https://my-custom-cache.cachix.org’ So the user now gets no substituters, and would have to remove the substituters config setting to reenable cache.nixos.org. To fix this, just include https://cache.nixos.org by default. This can still be overridden by the user.
matthewbauer
force-pushed
the
trust-cache-nixos-org
branch
from
5419bf5
to
2b343ff
Compare
|
Because of relocatable source code / deprecation hassjed mirrors, maybe this should be unconditional? |
|
That sounds like a good idea. Should both |
Since 0744f7f, it is now useful to have cache.nixos.org in substituers even if /nix/store is not the Nix Store Dir. This can always be overridden via configuration, though.
|
Does this set a default, or does it force users to trust c.n.o?
…On Wed, Dec 2, 2020, at 7:11 PM, Matthew Bauer wrote:
When a user is untrusted, Nix will only trust substituters that are in
trusted-substituters. But users don’t always know if they are trusted
or not by the Nix daemon, especially when sharing configs accross
machines. So for example, a user has a nix.conf in $HOME/.config/nix/
that looks like this:
substituters = https://cache.nixos.org https://my-custom-cache.cachix.org
Nix will override the default substituters, but skip both with:
warning: ignoring untrusted substituter ‘https://cache.nixos.org’ <https://cache.nixos.xn--org-to0a/>
warning: ignoring untrusted substituter ‘https://my-custom-cache.cachix.org’ <https://my-custom-cache.cachix.xn--org-to0a/>
So the user now gets no substituters, and would have to remove the
substituters config setting to reenable cache.nixos.org. To fix this,
just include https://cache.nixos.org by default. This can still be
overridden by the user.
You can view, comment on, or merge this pull request online at:
#4306
Commit Summary
* Add cache.nixos.org to trusted substituters by default
File Changes
* *M* src/libstore/globals.hh <https://github.com/NixOS/nix/pull/4306/files#diff-9412152b7224a524f972b70909301342567c69c9f391625677764859063c48eb> (2)
Patch Links:
* https://github.com/NixOS/nix/pull/4306.patch
* https://github.com/NixOS/nix/pull/4306.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#4306>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAASXLAJ3C43ISDDLEROEMDSS3JUDANCNFSM4ULG5XSQ>.
|
|
To say more, there are Nix users who don't use our cache and don't want to trust our cache. |
So it adds another option they need to set if they don't trust our cache.nixos.org. Currently, they just need to set |
|
Two questions:
These two has been terrible for years, and it would be nice to really fix. Maybe call them |
|
Since 99% of users will use this I support this being opt-out via some flag. |
It shouldn't make any difference - CLI flags should always have precedence over any nix.conf though.
I'm not sure how to do this in the way the current configuration works. We'd want the default for one setting to depend on the default of the other setting, which I don't think? we have a way to do right now. |
I would change every access of |
That's already the case, see StringSet trusted = settings.trustedSubstituters;
for (auto & s : settings.substituters.get())
trusted.insert(s); |
|
Oh this was my bad! This was just a case of a missing slash in my substituters not being picked up ( See #4318 for a real fix for that problem. |
|
I wish that uris would be normalized, that would save lots of frustration. |
|
@matthewbauer we may still want to do the change of not caring about the store path? |
Yes - #4321 |
When a user is untrusted, Nix will only trust substituters that are in
trusted-substituters. But users don’t always know if they are trusted
or not by the Nix daemon, especially when sharing configs accross
machines. So for example, a user has a nix.conf in $HOME/.config/nix/
that looks like this:
substituters = https://cache.nixos.org https://my-custom-cache.cachix.org
Nix will override the default substituters, but skip both with:
warning: ignoring untrusted substituter ‘https://cache.nixos.org’
warning: ignoring untrusted substituter ‘https://my-custom-cache.cachix.org’
So the user now gets no substituters, and would have to remove the
substituters config setting to reenable cache.nixos.org. To fix this,
just include https://cache.nixos.org by default. This can still be
overridden by the user.