top | item 44648646

(no title)

Weethet | 7 months ago

nixpkgs already has 107158 packaged libraries/executables. Nix has infrastructure to support arbitrary build systems and can create docker images. I fail to see any advantages of creating a more narrow version of it that has fewer uses and has to start from scratch

discuss

msuozzo|7 months ago

Author here!

Both nix and guix are exciting projects with a lot of enviable security properties. Many here can attest that using them feels like, and perhaps is, the future. I see OSS Rebuild as serving more immediate needs.

By rebuilding packages from the registries people already use, we can bring some of those security properties to users without them needing to change the way they get their software.

kam|7 months ago

Nixpkgs pulls source code from places like pypi and crates.io, so verifying the integrity of those packages does help the Nix ecosystem along with everyone else.

Y_Y|7 months ago

Why not help them help bring their packages to users, rather than borrowing and circumventing the existing effort?

unknown|7 months ago

[deleted]

hollerith|7 months ago

The Nix community has a poor record on security and supply-chain integrity in particular [1] whereas Google has a great record on security, and this announcement (of OSS Rebuild) was written by a member of the "Google Open Source Security Team".

[1]: "it means effectively a decision was made for NixOS to be a hobby distro not suitable for any targeted applications or individuals. It really sucks, because I love everything else about nix design. Instead I am forced to bootstrap high security applications using arch and debian toolchains which are worse than nix in every way but supply chain integrity given that all authors directly sign package sources with their personal well verified keys."

https://news.ycombinator.com/item?id=36268776

lrvick|7 months ago

Since writing the post you link, I finally threw my hands up and made a new distro with some security engineer peers that prioritizes supply chain security and mandates 100% full source bootstrapping and determinism: https://stagex.tools

It does not even try to be a workstation distro so we can get away with a small number of packages, focusing on building software with high accountability.

Thankfully OCI build tooling is mature enough now that we can build using standards and do not need a custom build framework and custom languages like nix/guix does anymore.

arianvanp|7 months ago

They could've contributed SLSA attestations support to nix instead. There's a few people working on bringing SLSA build provenance to nix(pkgs) including me. But limited time and resources unfortunately. Would love to see Google contribute to nix in this space :)

E.g.:

https://talks.nixcon.org/nixcon-2024/talk/AS373H/

https://GitHub.com/arianvp/nix-attest

Weethet|7 months ago

This is an issue with nixpkgs not nix. Google could've just bootstrapped their own nixpkgs from scratch if they wanted to, see Guix (not a perfect example but still). Creating a whole new tool is still completely unnecessary

woile|7 months ago

Well, Google is using nix and nixpkgs...

https://firebase.google.com/docs/studio#how-does-it-work

ChocolateGod|7 months ago

Nix/NixOS files often break due to Nix pkg maintainers not caring about keeping support for existing configuration formats. I experience a breakage roughly every 2 weeks when a variable/package gets renamed or changed.

kpcyrd|7 months ago

oss-rebuild is for independent verification, which cache.nixos.org doesn't have yet. I'm still waiting for https://github.com/nix-community/trustix to become a thing.

Until then they are still behind Debian and Arch Linux, which do in fact implement this with rebuilderd and debrebuild/archlinux-repro.

mbonnet|7 months ago

Advantages: potentially useful/extant/readable documentation.

pjmlp|7 months ago

Not everyone uses Nix, and there are other operating systems used in the world.

nicce|7 months ago

Corporation with the size of Google must be in control by themselves.