apparently it is not a valid store path
Discussion
Ah yea its an example i guess. You could try any nix package you have defined locally, or further in the examples theres: `nix-instantiate '
yes that worked. but aren't we trusting that the author of the derivation is not including a malicious hash? this is what trustix was trying to solve or an I still missing something?
A derivation isnt downloaded, its generated locally. Then you take the output hash of the generated derivation, and look for it first locally, then remotely at binary caches. The point is that a deterministic build can be defined (the outputHash) locally and fetched remotely without fear, nix will check the received binary. Its why we call caches "substituters" in Nix, bc i can safely substitute a build output with a remote one if i know its hash. I should draw this out 😅
Trustix is more about detecting malicious builders at large. If you only rely on caches for your packages, we can compare their build outputs to each other and generate trust scores over time. It would need an ecosystem of builders to be useful.