madjar/gist:545e1a9b6a8f9b7faeb8 Secret

## gistfile1.txt
The goal of the binary determinism patchset (pull request #2281) is to
make it possible to reproduce an identical set of Nix packages,
bit-for-bit. Today, Nix correctly tracks dependencies for a given
package, and incorporates them as part of the hash for a derivation.
But this hash doesn't guarantee the resulting binaries and assets are
always the same when you build it.

A standard example is a C program that uses the __DATE__ macro - while
a Nix build of such a package is reproducible because it will always
use the same build steps, every build will result in a slightly
different output binary as it's built on a different date. The
determinism patchset fixes this, amongst other things. So now a Nix
build is not only reproducible, it will result in deterministic
binaries, every time.

Determinism is important aspect of system security and trust. In
particular, it means that build machines cannot lie to you even if
they are compromised, and you can verify you are always given
legitimate binaries. This means we no longer have to trust that Hydra,
or NixOS.org is serving us binaries without backdoors - if it's always
possible to reproduce a binary identically, it's easy to check if
someone has given you a bad package by simply comparing them. This
makes inserting a backdoor into a trusted system significantly more
difficult.

The current patchset to enable this, written by Alexander Kjeldaas
(and not me!), will hopefully be available in Nixpkgs soon. There are
still some things to work out with the determinism patchset. The
biggest holdup at the moment is that the most important component of
the system, the C compiler GCC, suffers a performance hit when the
patchset is enabled. This would make a significant speed impact on the
Hydra binary cache, among other things. However, much of the remaining
work can be merged with no significant impact.

This work will put NixOS in a good place as far as trusted systems go
I think, and as a bonus, any Linux user can get a reproducible,
deterministic toolchain by just installing Nix!
	The goal of the binary determinism patchset (pull request #2281) is to
	make it possible to reproduce an identical set of Nix packages,
	bit-for-bit. Today, Nix correctly tracks dependencies for a given
	package, and incorporates them as part of the hash for a derivation.
	But this hash doesn't guarantee the resulting binaries and assets are
	always the same when you build it.

	A standard example is a C program that uses the __DATE__ macro - while
	a Nix build of such a package is reproducible because it will always
	use the same build steps, every build will result in a slightly
	different output binary as it's built on a different date. The
	determinism patchset fixes this, amongst other things. So now a Nix
	build is not only reproducible, it will result in deterministic
	binaries, every time.

	Determinism is important aspect of system security and trust. In
	particular, it means that build machines cannot lie to you even if
	they are compromised, and you can verify you are always given
	legitimate binaries. This means we no longer have to trust that Hydra,
	or NixOS.org is serving us binaries without backdoors - if it's always
	possible to reproduce a binary identically, it's easy to check if
	someone has given you a bad package by simply comparing them. This
	makes inserting a backdoor into a trusted system significantly more
	difficult.

	The current patchset to enable this, written by Alexander Kjeldaas
	(and not me!), will hopefully be available in Nixpkgs soon. There are
	still some things to work out with the determinism patchset. The
	biggest holdup at the moment is that the most important component of
	the system, the C compiler GCC, suffers a performance hit when the
	patchset is enabled. This would make a significant speed impact on the
	Hydra binary cache, among other things. However, much of the remaining
	work can be merged with no significant impact.

	This work will put NixOS in a good place as far as trusted systems go
	I think, and as a bonus, any Linux user can get a reproducible,
	deterministic toolchain by just installing Nix!