Yay! (even that I’m not yet active cachix user)
Is there plan for client-side encryption? I guess it would require changes to Nix,
That’s something we could build, but it would be a tiny proxy you would run somewhere within your network that would encrypt/decrypt nars behind your walls. Doesn’t have to be cachix specific.
I see cachix as a way to completely remove the need to configure own binary cache instance. One case is using it with current CI infra.
CircleCI pulls nix expressions and source code, configures cachix cache and builds an expression. Without first class encryption/decryption support I’ll have to write wrappers around nix-build to decode pulled NARs on-fly.
As long as cachix client is open and peer-reviewed, we can be sure it does it’s job and never send precious build results unencrypted.
I see cachix as a way to completely remove the need to configure own binary cache instance. One case is using it with current CI infra.
if Nix would support NAR encryption/decryption that would be ideal, as cachix could just support it.
My proposal was meant as a mid-term solution, to get all benefits from cachix but also encrypt contents on client-side if that’s a requirement.