I finally managed to finish my Bachelor’s thesis titled “Secure Nix Expression Updates”, in which I explore how Nix updated mechanisms (e. g. nix flake update) can be protected from repository-side attacks.
You can find it at https://landweber.xyz/ba.pdf.
tl;dr:
My threat model assumes that the server hosting the expression (e. g. Github for Nixpkgs or a self-hosted Git server for a configuration) was compromised by an attacker.
I suggest to use Git repositories to distribute signatures and describe multiple verification mechanisms, namely
I also use niv to showcase how downgrade attacks could be prevented and discuss challenges.
I would like to thank all members of the community, that discussed the topic with me, for their generous time and insights.
I’d appreciate any further input on my thesis or Nix expression security in general.