bio

  • 9 Posts
  • 17 Comments
Joined 2 years ago
cake
Cake day: June 15th, 2023

help-circle

  • I have definitely found it challenging at times to do even simple things. I think it does get easier over time.

    I really hope the new user experience will improve. Once the issues with flakes are fixed and they are no longer experimental I would expect flakes to replace the other ways of doing things. This will hopefully make the documentation more concise/focused/better. It might also mean more people start using nix/flakes which will surface more of these problems to be fixed.

    I think people need to decide if the benefits they are getting are worth the challenges. I personally really like the reproducibility and the massive amount of packages available from one place. On other distros I have used things have ended up breaking eventually and I have had to re-install things and search for fixes. But on NixOs things keep working.


















  • That seems like an argument for maintaining a frozen repo of packages, not against containers.

    I am not arguing against containers, I am arguing that nix is more reproducible. Containers can be used with nix and are useful in other ways.

    an argument for maintaining a frozen repo of packages

    This is essentially what nix does. In addition it verifies that the packages are identical to the packages specified in your flake.nix file.

    You can only have a truly fully-reproducible build environment if you setup your toolchain to keep copies of every piece of external software so that you can do hermetic builds.

    This is essentially what Nix does, except Nix verifies the external software is the same with checksums. It also does hermetic builds.




  • Are you saying that nix will cache all the dependencies within itself/its “container,” or whatever its container replacement would be called?

    Yep, sort of.

    It saves each version of your dependencies to the /nix/store folder with a checksum prefixing the program name. For example you might have the following Firefox programs

    /nix/store/l7ih0zcw2csi880kfcq37lnl295r44pj-firefox-100.0.2
    /nix/store/cm1bdi4hp8g8ic5jxqjhzmm7gl3a6c46-firefox-108.0.1
    /nix/store/rfr0n62z21ymi0ljj04qw2d7fgy2ckrq-firefox-114.0.1
    

    Because of this you can largely avoid dependency conflicts. For example a program A could depend on /nix/store/cm1bdi4hp8g8ic5jxqjhzmm7gl3a6c46-firefox-108.0.1 and a program B could depend on /nix/store/rfr0n62z21ymi0ljj04qw2d7fgy2ckrq-firefox-114.0.1 and both programs would work as both have dependencies satisfied. AFAIK using other build systems you would have to break program A or program B (or find versions of program A and program B where both dependencies are satisfied).


  • You might be interested in this article that compares nix and docker. It explains why docker builds are not considered reproducible:

    For example, a Dockerfile will run something like apt-get-update as one of the first steps. Resources are accessible over the network at build time, and these resources can change between docker build commands. There is no notion of immutability when it comes to source.

    and why nix builds are reproducible a lot of the time:

    Builds can be fully reproducible. Resources are only available over the network if a checksum is provided to identify what the resource is. All of a package’s build time dependencies can be captured through a Nix expression, so the same steps and inputs (down to libc, gcc, etc.) can be repeated.

    Containerization has other advantages though (security) and you can actually use nix’s reproducible builds in combination with (docker) containers.