RGBCube/Site
1
Fork 0
mirror of https://github.com/RGBCube/Site synced 2025-08-01 13:37:49 +00:00
Code Issues Activity Actions

blog(nix-iceberg): more explanation on --pwn-me-mommy

Browse source
This commit is contained in:
RGBCube 2025-06-06 23:57:31 +03:00
parent 772093ace7
commit e7a3c5a7bb
Signed by: RGBCube
SSH key fingerprint: SHA256:CzqbPcfwt+GxFYNnFVCqoN5Itn4YFrshg1TrnACpA5M
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
site/blog/2024-04-15-nix-iceberg.md
View file

@ -571,6 +571,13 @@ the
option, which then allows Nix expressions to load arbitrary dynamic libraries, option, which then allows Nix expressions to load arbitrary dynamic libraries,
which can do anything as they are not confined to the Nix evaluation sandbox. which can do anything as they are not confined to the Nix evaluation sandbox.
However, a malicious flake doesn't even have to go that far. It can define an
evil substituter using the `extra-substituters` key in `nixConfig`, and you may
get served malicious packages.
This is why you should generally be wary of using this option or typing in `Y`
when asked to trust a substituter/enable a setting in interactive mode.
## Zilch ## Zilch
ZilchOS is a decidedly tiny Nix-based distro. It is a great project to see how ZilchOS is a decidedly tiny Nix-based distro. It is a great project to see how