summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2013-11-07 22:18:24 +0100
committerLudovic Courtès <ludo@gnu.org>2013-11-07 22:18:24 +0100
commit18f2887bffeda697bf5ba227c75e303aad04898a (patch)
treeb34dfc104c472e60e71730e62aa05f9f8e0e7a10
parentb5385b528cd4b2674e0c656ea99d7ecd81ffe41d (diff)
downloadguix-18f2887bffeda697bf5ba227c75e303aad04898a.tar.gz
doc: Document current security issue with substitutes.
Suggested by Mark H. Weaver <mhw@netris.org>.

* doc/guix.texi (Features): Add note about unauthenticated binaries.
-rw-r--r--doc/guix.texi12
1 files changed, 10 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 64b18b4416..43e7935b4c 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -455,10 +455,18 @@ scripts, etc.  This direct correspondence allows users to make sure a
 given package installation matches the current state of their
 distribution, and helps maximize @dfn{reproducibility}.
 
+@cindex substitute
 This foundation allows Guix to support @dfn{transparent binary/source
 deployment}.  When a pre-built binary for a @file{/nix/store} path is
-available from an external source, Guix just downloads it; otherwise, it
-builds the package from source, locally.
+available from an external source---a @dfn{substitute}, Guix just
+downloads it@footnote{@c XXX: Remove me when outdated.
+As of version @value{VERSION}, substitutes are downloaded from
+@url{http://hydra.gnu.org/} but are @emph{not} authenticated---i.e.,
+Guix cannot tell whether binaries it downloaded have been tampered with,
+nor whether they come from the genuine @code{gnu.org} build farm.  This
+will be fixed in future versions.  In the meantime, concerned users can
+opt for @code{--no-substitutes} (@pxref{Invoking guix-daemon}).};
+otherwise, it builds the package from source, locally.
 
 @node Invoking guix package
 @section Invoking @command{guix package}