How would that work with dependencies? Like if I depend on a flake foo that sets some Nix options. Would these be ignored or inherited in the top-level flake?

Currently it only uses options from the top-level flake. Since dependencies are fetched lazily that's really the only option, unless we propagate options into the lock file.

How useful is substituters without the "trusted-public-keys" setting? Without setting that, I think you just get an error when a new substituter is enabled (unless you happen to have it allowed in your global config). Of course allowing trusted-public-keys per-project is probably a security concern.

It would be nice UX to prompt users if no trusted key matches, asking if they trust the cache URL. If not, it would get on a list of "untrusted-public-keys" so we would avoid trying it in the future.

Allowing to specify custom binary cache at the project level is worth all this trouble. That would mean no need to explain to your users / coworkers to add a binary cache. And I'm not alone by saying that this is not the easiest thing to do in Nix.

How useful is substituters without the "trusted-public-keys" setting? Without setting that, I think you just get an error when a new substituter is enabled (unless you happen to have it allowed in your global config). Of course allowing trusted-public-keys per-project is probably a security concern.

It would be nice UX to prompt users if no trusted key matches, asking if they trust the cache URL. If not, it would get on a list of "untrusted-public-keys" so we would avoid trying it in the future.

I assume that @edolstra didn't add it to the list of possible options exactly because of the security concern. But it is also true that without it wouldn't pull binaries from the cache. I can only agree with @matthewbauer that we need to prompt users in cache no trusted key matches.

Here are some my ideas / questions / concerns, without thinking about implementation, but trying to put myself in the user and try to meet expectations:

• Using the name substitutors is confusing since we are talking about binary cache. As a novice nix user adding a binary cache would mean adding and url to the binary-caches list. (I will use binary-caches from now on).

• Most of the time there is one public key per cache. It is easy to miss some keys when adding them to a separate list. Keys could easily be paired with the binary cache. For backward compatibility we can still allow substituters and trusted-public-keys. Example:

  {
   config.binary-caches = [
     "https://cache.nixos.org"
     # or
     { url = "https://cache1.example.com"; }
     # or
     { url = "https://cache2.example.com";
       key = "cache2.example.com-1:....";
     }
   ];
  }

• User simply providing a link should be enough for nix to (1) check if we trust the binary cache (2) and if we don't where to go to get the correct public keys (and how to do it securely).

• When nix detects that we don't have correct public keys (that we don't trust the binary cache) we should prompt the user that (only once for a user, we can store this state in ~/.cache/nix/...) there is no existing key that we already trust and that a user should (go this this url, if this is possible to get from cache and) provide a binary cache with a link to the documentation on how to do it securely.

• flake-registry could/should also provide a list of binary cache with public key (as it is a trusted source). If adding an binary cache from the list of caches on flake-registry we could propose to the use to add it.

• Currently the nix command does not have any interactive UI in the command line interface. I'm assuming that we would want to change this also for the other commands. We should of course also add an option (eg. --dont-ask / --no-interactive) at the nix command level to disable interactive mode all together.

This is what I have so far, but I'm really happy with this coming to Nix.

binary-caches exists as a deprecated alias of substituters. It's not a good name because there are substituters that are not binary caches and that you might want to configure in flake.nix, e.g. ssh://some-server.

I like the idea of having per-project configuration. In the past I had to use some weird hacks with direnv to get my nix CLI use a slightly different configuration for some customer project. Not being able to set a public key is reasonable but I wonder what the value in this is if we can't use our own caches? We would still need system-wide (or if trusted, user local) configuration of trusted signing keys. How many binary caches are there that someone would be using in a project/company to warrant that not being configured the same time you configure the public keys?

The given example of an SSH substituters might be the only one I really see as "complete" here. At least with SSH it is common to configure authenticaiton outside of what Nix can do (right now).

As long as we keep the number of supported settings as restrictive as proposed in this PR this is probably fine. If we ever expand it further (e.g. allowing users to set sandbox = false) we should think about requiring an explicit "ack" from the user (the first time the flake, in that version, is being built). I really like the direnv model for confirmation from users.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-4/9862/1

@edolstra no netrc-file or public keys support? That really limits the use of binary caches for flakes.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-5/10560/1

I want to link to a nascent community project with certain scope overlap. I furthermore suggest and encourage, as far as I'm conceded to do so, to explore any so opportunity for collusion and thought entanglement https://github.com/numtide/devshell

For those who like me, wonder where to add the nixConfig attribute, I found here that it is a top level attribute in a flake.nix. So it's used like so:

{
  description = "...";
  nixConfig.bash-prompt = "\[nix-develop\]$ ";
  ...
}

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-2-6-0-released/17324/11