Techly NewsGet the app

Get the latest tech news

NixOS Is Not Reproducible


Okay, sorry for the clickbait. NixOS is not reproducible according to the Reproducible Builds definition. I keep reading people making this claim repeatedly on orange-site, even LWN.net made a similar claim when writing about Nix and Guix earlier this week.1 Along with their recently launched wiki. So, what is the Reproducible Builds definition?2 When is a build reproducible? A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

To try and expand on the concepts of words in this realm I though I’d defer to the “Building Secure and Reliable Systems” book from Google. This is what I believe a lot of the recent years of “Supply Chain Security”-focus has given us with build provenance, attestation and a myriad of SBOM standards. I have heavily invested my free-time on this topic since 2017, and met some of the accomplishments we have had with “Doesn’t NixOS solve this?” for just as long… and I thought it would be of peoples interest to clarify?

Get the Android app

Or read this on Hacker News

Read more on:

Photo of NixOS

NixOS

Related news:

News photo

NixOS is a good server OS, except when it isn't

News photo

Running NixOS on Proxmox LXC

News photo

NixOS, Raspberry Pi and Me

« Stuffcool's 10000mAh Mega 40 power bank is a pint-sized powerhouse
Why those particular integer multiplies? »