blog(nix-iceberg): more explanation on --pwn-me-mommy

2025-07-30 12:37:50 +00:00 · 2025-06-06 23:57:31 +03:00 · 2025-06-06 23:57:31 +03:00 · e7a3c5a7bb
commit e7a3c5a7bb
parent 772093ace7
1 changed files with 7 additions and 0 deletions
--- a/site/blog/2024-04-15-nix-iceberg.md
+++ b/site/blog/2024-04-15-nix-iceberg.md
@ -571,6 +571,13 @@ the
 option, which then allows Nix expressions to load arbitrary dynamic libraries,
 which can do anything as they are not confined to the Nix evaluation sandbox.

+However, a malicious flake doesn't even have to go that far. It can define an
+evil substituter using the `extra-substituters` key in `nixConfig`, and you may
+get served malicious packages.
+
+This is why you should generally be wary of using this option or typing in `Y`
+when asked to trust a substituter/enable a setting in interactive mode.
+
 ## Zilch

 ZilchOS is a decidedly tiny Nix-based distro. It is a great project to see how