search

fort-nix / nix-bitcoin

A collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.
https://nixbitcoin.org
MIT License
508 stars 106 forks source link

Reduce reliance on the NixOS cache #223

Open jonasnick opened 4 years ago

jonasnick commented 4 years ago

The most concerning weakness in terms of security right now is the dependence on cache.nixos.org. Most likely users do not build packages that are in the cache themselves (which could be achieved disabling substitutes in the nix.conf). Most of NixOS is reproducible (https://r13y.com/).

Would it be useful to set up a build server ourselves and give the users the ability to compare the hashes in their nix store with our builds? If so, what would be the easiest and UX-friendliest way to achieve this?

nixbitcoin commented 4 years ago

We could also distribute the nix store hashes in a trust-less way by pinning the hash of hashes on a SSOT like DNS or the Bitcoin Blockchain.

mmilata commented 3 years ago

Trustix looks like an attempt to solve this problem: https://build-transparency.org/

nixbitcoin commented 2 years ago

As soon as Trustix is viable we should use it and also spin up our own cluster as part of the federation.