wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-03 02:01:48 +02:00
Code Activity

Dodge "trusted" vs "trustworthy" by being explicit

Browse source 
Hopefully this is best!
This commit is contained in:
John Ericson 2022-09-22 14:36:26 -04:00 committed by John Ericson
parent 752f967c0f
commit a2a8cb10ac
5 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/libstore/globals.hh
View file

@ -560,9 +560,15 @@ public:
R"(
If set to `true` (the default), any non-content-addressed path added
or copied to the Nix store (e.g. when substituting from a binary
cache) must have a trustworthy signature, that is, be signed using one of
the keys listed in `trusted-public-keys` or `secret-key-files`. Set
to `false` to disable signature checking.
cache) must have a signature by a key we trust. A trusted key is one
listed in `trusted-public-keys`, or a public key counterpart to a
private key stored in a file listed in `secret-key-files`.
Set to `false` to disable signature checking and trust all
non-content-addressed paths unconditionally.
(Content-addressed paths are inherently trustworthy and thus
unaffected by this configuration option.)
)"};
Setting<StringSet> extraPlatforms{