Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
The goal of the binary determinism patchset (pull request #2281) is to
make it possible to reproduce an identical set of Nix packages,
bit-for-bit. Today, Nix correctly tracks dependencies for a given
package, and incorporates them as part of the hash for a derivation.
But this hash doesn't guarantee the resulting binaries and assets are
always the same when you build it.
A standard example is a C program that uses the __DATE__ macro - while
a Nix build of such a package is reproducible because it will always
use the same build steps, every build will result in a slightly
different output binary as it's built on a different date. The
determinism patchset fixes this, amongst other things. So now a Nix
build is not only reproducible, it will result in deterministic
binaries, every time.
Determinism is important aspect of system security and trust. In
particular, it means that build machines cannot lie to you even if
they are compromised, and you can verify you are always given
legitimate binaries. This means we no longer have to trust that Hydra,
or is serving us binaries without backdoors - if it's always
possible to reproduce a binary identically, it's easy to check if
someone has given you a bad package by simply comparing them. This
makes inserting a backdoor into a trusted system significantly more
The current patchset to enable this, written by Alexander Kjeldaas
(and not me!), will hopefully be available in Nixpkgs soon. There are
still some things to work out with the determinism patchset. The
biggest holdup at the moment is that the most important component of
the system, the C compiler GCC, suffers a performance hit when the
patchset is enabled. This would make a significant speed impact on the
Hydra binary cache, among other things. However, much of the remaining
work can be merged with no significant impact.
This work will put NixOS in a good place as far as trusted systems go
I think, and as a bonus, any Linux user can get a reproducible,
deterministic toolchain by just installing Nix!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment