[UX] Improve untrusted user warning message

[lisanna-dettwyler]

Based on user feedback mentioned in the linked issue, more information about how to resolve an untrusted user issue should be provided in the warning message.

Resolves #8248

Motivation

This resolves a popular UX issue.

Context

#8248

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[lisanna-dettwyler]

[untrusted@scarab:~]$ nix build nixpkgs#hello --option extra-substituters https://cachix.nixos.org/
warning: ignoring untrusted substituter 'https://cachix.nixos.org/', you are not a trusted user.
Add your username to the trusted-users setting in /etc/nix/nix.conf and then restart the daemon
(e.g. sudo systemctl restart nix-daemon).
Run `man nix.conf` for more information on the `substituters` configuration option.

[grahamc]

It might be better to have this link to a docs page about trusted users. There are caveats here: like the trust model, reasons to not do this, etc. that deserve to be presented. If the tool presents the simple instruction to follow, it could achieve it better by dropping untrusted users altogether (which would be a mistake.)

[lisanna-dettwyler]

Updated to do this, and added a note to trusted-users about alternatives.

[lisanna-dettwyler]

Is it OK to recommend that someone trying to use a privileged setting to make themselves a trusted user? Or should the warning message more specifically recommend that they add the privileged setting itself to /etc/nix/nix.conf instead of editing trusted-users?

[xokdvium]

This should really be up to the user, especially because being in trusted-users is equivalent to passwordless sudo.

[xokdvium]

If anything, even less users should be specifying trusted-users. I think there's a clear lack of understanding what that option even does - thus people are tempted to add themselves to trusted-users just to make the warning go away. We must not worsen the situation here.

[lisanna-dettwyler]

[untrusted@scarab:~]$ nix build nixpkgs#hello --option extra-substituters https://cachix.nixos.org/
warning: ignoring untrusted substituter 'https://cachix.nixos.org/', you are not a trusted user.
Run `man nix.conf` for more information on the 'substituters' and 'trusted-users' configuration options.
warning: ignoring untrusted substituter 'https://cachix.nixos.org/', you are not a trusted user.
Run `man nix.conf` for more information on the 'substituters' and 'trusted-users' configuration options.

[untrusted@scarab:~]$ nix build nixpkgs#hello --option trusted-public-keys ""
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user.
Run `man nix.conf` for more information on the 'trusted-public-keys' and 'trusted-users' configuration options.
warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user.
Run `man nix.conf` for more information on the 'trusted-public-keys' and 'trusted-users' configuration options.

For some reason the warning message gets printed twice... not sure what's going on there.