Open
Description
The most concerning weakness in terms of security right now is the dependence on cache.nixos.org. Most likely users do not build packages that are in the cache themselves (which could be achieved disabling substitutes in the nix.conf). Most of NixOS is reproducible (https://r13y.com/).
Would it be useful to set up a build server ourselves and give the users the ability to compare the hashes in their nix store with our builds? If so, what would be the easiest and UX-friendliest way to achieve this?