There are few levels of provenance that we're interested in.
Currently this post-build-hook records Build-time provenance.
What were the evaluation-time inputs to produce the resulting derivation?
Questions:
- How does this work with IFD?
- How does this work with dynamic-derivations?
- How does this work with tvix where evaluation drives the build and there is no two separate phases?
- What was the derivation that built a set of out-paths
- what were build-time dependencies of that derivation
- What builder built the derivation
We can kind of divide into two groups:
- Things that you always want to check
- Things that you want to check in a post-compromise scenario
E.g. when substituting an out-path; you want to know the references of the out-path
- What derivation built the builder that built the derivation?