-
-
Save madjar/545e1a9b6a8f9b7faeb8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The goal of the binary determinism patchset (pull request #2281) is to | |
make it possible to reproduce an identical set of Nix packages, | |
bit-for-bit. Today, Nix correctly tracks dependencies for a given | |
package, and incorporates them as part of the hash for a derivation. | |
But this hash doesn't guarantee the resulting binaries and assets are | |
always the same when you build it. | |
A standard example is a C program that uses the __DATE__ macro - while | |
a Nix build of such a package is reproducible because it will always | |
use the same build steps, every build will result in a slightly | |
different output binary as it's built on a different date. The | |
determinism patchset fixes this, amongst other things. So now a Nix | |
build is not only reproducible, it will result in deterministic | |
binaries, every time. | |
Determinism is important aspect of system security and trust. In | |
particular, it means that build machines cannot lie to you even if | |
they are compromised, and you can verify you are always given | |
legitimate binaries. This means we no longer have to trust that Hydra, | |
or NixOS.org is serving us binaries without backdoors - if it's always | |
possible to reproduce a binary identically, it's easy to check if | |
someone has given you a bad package by simply comparing them. This | |
makes inserting a backdoor into a trusted system significantly more | |
difficult. | |
The current patchset to enable this, written by Alexander Kjeldaas | |
(and not me!), will hopefully be available in Nixpkgs soon. There are | |
still some things to work out with the determinism patchset. The | |
biggest holdup at the moment is that the most important component of | |
the system, the C compiler GCC, suffers a performance hit when the | |
patchset is enabled. This would make a significant speed impact on the | |
Hydra binary cache, among other things. However, much of the remaining | |
work can be merged with no significant impact. | |
This work will put NixOS in a good place as far as trusted systems go | |
I think, and as a bonus, any Linux user can get a reproducible, | |
deterministic toolchain by just installing Nix! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment