Determinate systems installer adds flakehub to trusted substituters unconditionally

Yesterday, while debugging an issue with the community member’s install of nix in Nix on macOS, I noticed the following lines in what’s supposed to be a fresh nix.conf:

extra-trusted-substituters = https://cache.flakehub.com
extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=

The user was using a Determinate Systems installer, so I went over to their repo to check what the conditions to add those lines were, fully expecting that they would be only added when installing Determinate Nix and the user accidentally copied the installation command for that just to find that the lines are added unconditionally, see GitHub:

// base, unintrusive Determinate Nix options
{
	// Add FlakeHub cache to the list of possible substituters, but disabled by default.
	// This allows a user to turn on FlakeHub Cache by adding it to the `extra-substituters`
	// list without being a trusted user.
	settings.insert(
		"extra-trusted-substituters".to_string(),
		"https://cache.flakehub.com".to_string(),
	);
	...
}

First of all, it’s a sysadmin’s nightmare. When you install nix, how often do you check the generated nix.conf? This allows untrusted (probably for a reason) users to use a different, propritetary binary substituters, which doesn’t seem good

Secondly, this feels like preferential treatment from something I’ve perceived as a general-purpose installer.

In conclusion, the experimental nix installer probably needs to be finished and promoted sooner

I don’t know if this discussion would be better off in the Determinate System installer’s issues, here it feels like more people would be able to see it

11 Likes

I guess it makes sense that the DetSys Installer is tied to other DetSys services, but the installer page doesn’t make it clear that there are any changes to the defaults other than enabling Flakes.

FWIW the Lix installer (based on the DetSys Installer) doesn’t do this, but I’m not sure if it’s able to install anything other than Lix (not that I’d expect it to).

3 Likes

please make it happen! Many would appreciate it I’m sure.

1 Like

Calling them

base, unintrusive Determinate Nix options

is also a bit wild, considering basically anyone can publish on flakehub, with no eyes on the code. Even without substitution, bad code is still bad, but I don’t know that it should be made even easier to pull in.

4 Likes