Yesterday, while debugging an issue with the community member’s install of nix in Nix on macOS, I noticed the following lines in what’s supposed to be a fresh nix.conf
:
extra-trusted-substituters = https://cache.flakehub.com
extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=
The user was using a Determinate Systems installer, so I went over to their repo to check what the conditions to add those lines were, fully expecting that they would be only added when installing Determinate Nix and the user accidentally copied the installation command for that just to find that the lines are added unconditionally, see GitHub:
// base, unintrusive Determinate Nix options
{
// Add FlakeHub cache to the list of possible substituters, but disabled by default.
// This allows a user to turn on FlakeHub Cache by adding it to the `extra-substituters`
// list without being a trusted user.
settings.insert(
"extra-trusted-substituters".to_string(),
"https://cache.flakehub.com".to_string(),
);
...
}
First of all, it’s a sysadmin’s nightmare. When you install nix, how often do you check the generated nix.conf
? This allows untrusted (probably for a reason) users to use a different, propritetary binary substituters, which doesn’t seem good
Secondly, this feels like preferential treatment from something I’ve perceived as a general-purpose installer.
In conclusion, the experimental nix installer probably needs to be finished and promoted sooner
I don’t know if this discussion would be better off in the Determinate System installer’s issues, here it feels like more people would be able to see it