Mark H Weaver <m...@netris.org> skribis: > I was thinking about the security implications of giving out shell > access to one of my systems running Guix. > > When I ask guix-daemon to build package 'foo', it will use as an input > the source for package 'foo', usually a tarball. If the tarball is > already in the store, it won't download it again, because it is > effectively cached in the store. > > It is possible for another user on the same system to corrupt the cache, > but manually adding a bad tarball for 'foo' to the store, in such a way > that it would be used to build 'foo' when I ask for it?
No. Tarballs are fixed-output derivations, so the hash of the tarball is known in advance. Thus, when building a package, you’re sure to use the tarball whose hash is in the recipe. Ludo’.
