-
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathindex.html
94 lines (92 loc) · 4.11 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<!DOCTYPE html>
<html lang="en">
<head>
<title>NixOS Reproducible Builds</title>
<link rel="stylesheet" href="styles/index.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta property="og:image" content="https://reproducible.nixos.org/nixos-rb-logo.png">
<meta property="og:title" content="NixOS Reproducible Builds">
<meta property="og:description" content="Reproducible Builds allow us to have independently-verifiable binaries. This page summarizes the progress towards that goal for NixOS.">
<style>
body {
padding: 3em;
}
h1 {
color: #1e5b96ff;
}
</style>
</head>
<body>
<div style="display: flex; flex-wrap: wrap; align-items: center; justify-content: center">
<img id="logo" align="center" style="max-height:8em;" src="nixos-rb-logo.svg">
<h1>NixOS<br>Reproducible Builds</h1>
</div>
<p>
When compiling from the same source on independent infrastructure
yields bit-by-bit identical results, this gives confidence that
the build infrastructure was not compromised and the artifact really
does correspond to the source.
</p>
<p>
Because a Nix derivation has deterministic references to all
of its dependencies, and the build happens in a sandbox,
Nix is an excellent starting point for achieving
<a href="https://reproducible-builds.org/">Reproducible Builds</a>.
</p>
<p>
However, this alone is not sufficient: builds may still leak
timestamps or have other nondeterminisms. For nixpkgs, such problems are tracked
with the <a href="https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22">'reproducible builds' issue tag</a>.
You can report a new issue using the <a href="https://github.com/NixOS/nixpkgs/issues/new?template=10_unreproducible_package.yml">issue template</a>.
</p>
<h2>Checking reproducibility</h2>
<p>
Building a package twice can't prove it is reproducible: you might simply have gotten lucky. However, it is a useful first step.
</p>
<p>
To check whether you can reproduce a package on your machine,
you can use <code>nix-build '<nixpkgs>' -A hello --check --keep-failed</code> or <code>nix build nixpkgs#hello --rebuild --keep-failed</code>.
</p>
<p>
For fixed-output derivations, run the build four times:
<ul>
<li>With an empty <code>outputHash</code>
<li>With the <code>outputHash</code> produced in the previous build, saving the <code>result</code>
<li>With an empty <code>outputHash</code> again
<li>With the <code>outputHash</code> produced in the previous build
</ul>
</p>
<p>
On failures, you can use <a href="https://diffoscope.org">diffoscope</a>
to analyze the differences in the outputs of the two builds. To view
the build log of the build that produced the artifact in the binary cache you can use <code>nix-store --read-log $(nix-instantiate '<nixpkgs>' -A hello)</code>.
</p>
<h2>Reports</h2>
<p>
As a general health check, we are producing reports on the
reproducibility of the packages that make up our minimal and
Gnome installation ISO's:
</p>
<ul>
<li><a href="nixos-iso-minimal-runtime">Minimal ISO (runtime dependencies)</a>
<li><a href="nixos-iso-minimal-r13y">Minimal ISO (build-time dependencies)</a>
<li><a href="nixos-iso-gnome-runtime">Gnome ISO (runtime dependencies)</a>
<li><a href="nixos-iso-gnome-r13y">Gnome ISO (build-time dependencies)</a>
</ul>
<p>
The 'build-time dependencies' reports include all packages that are needed to build the ISO. The 'runtime dependencies' reports only include the packages that 'make it into' the ISO, meaning they contain much less noise, but also might miss relevant build-time unreproducibilities.
</p>
<h2>Get involved!</h2>
<p>
For an overview of issues for those milestones see this <a href="https://github.com/orgs/NixOS/projects/30">Project</a>.
If anything seems wrong/incomplete ping <a href="https://merveilles.town/@raboof">raboof</a>.
</p>
<p>
Helping make NixOS reproducible is a great way to contribute
and learn - join us on Matrix at <a href="https://matrix.to/#/#reproducible-builds:nixos.org">#reproducible-builds:nixos.org</a> if you want to chat.
</p>
<p>
The source for this page can be found <a href="https://github.com/NixOS/reproducible.nixos.org">here</a>.
</p>
</body>
</html>