R 13 eproducibilit Y: NixOS

Is NixOS Reproducible?

Tracking: `nixos-unstable`'s `nixos.iso_minimal.x86_64-linux` job for `x86_64-linux`.

Build via:

git clone https://github.com/nixos/nixpkgs.git
cd nixpkgs
git checkout 34a7b3142e34796133fcb3f9c857d7b17982fdaa
nix-build ./nixos/release-combined.nix -A nixos.nixos.iso_minimal.x86_64-linux

1733 out of 1737 (99.77%) paths in the nixos.iso_minimal.x86_64-linux installation image are reproducible!

2 unchecked

unreproduced paths

/nix/store/5wmvyzg9a3zq5qk48w3v5wfyjx5h6n6x-python3-3.9.13.drv
(diffoscope) out

/nix/store/waa7859v2gqnrn81wdg1mhyvcc38d418-rust-cbindgen-0.23.0.drv

(diffoscope) out

unchecked paths

/nix/store/3nbwcdc24h166l4dabgjw9pkx0wiaykn-openldap-2.6.2.drv
/nix/store/2km7xxdp57ylsh8p9jm8zykz2v6cfmbp-mailcap-2.1.53.drv

How are these tested?

Each build is run twice, at different times, on different hardware running different kernels.

How confident can we be in the results?

Fairly. We don't currently inject randomness at the filesystem layer, but many of the reproducibility issues are being exercised already. It isn't possible to guarantee a package is reproducible, just like it isn't possible to prove software is bug-free. It is possible there is nondeterminism in a package source, waiting for some specific circumstance.

This is why we run these tests: to track how we are doing over time, to submit bug fixes for nondeterminism when we find them.

How can I help?

Look at issues and pull requests with the 'reproducible builds' label.
Open new issues/PR's for reproducibility problems (like the ones reported above)
Join the #reproducible-builds:nixos.org room on Matrix

How can we do better?

There are further steps we could take. For example, the next likely step is using disorderfs which injects additional nondeterminism by reordering directory entries.

How can I test my patches?

Nix has built-in support for checking a path is reproducible. There are two routes.

Pretending you are debugging a nondeterminism bug in hello. To check it, you build the package, and then build it again with --check --keep-failed. This will provide the differing output in a separate directory which you can use diffoscope on.

$ nix-build . -A hello
$ nix-build . -A hello --check --keep-failed
[...snip...]
error: derivation '/nix/store/...hello.drv' may not be deterministic:
output '/nix/store/...-hello' differs from '/nix/store/...hello.check'
$ diffoscope /nix/store/...hello /nix/store/...hello.check

Note: the .check output is not a valid store path, and will automatically be deleted on the next run of the Nix garbage collector.

There is support for an automatic diff-hook in Nix 2, but it is much more complicated to set up. If you would like to work on this, or need help setting it up, contact us on Matrix. We can work together to write docs on how to use it.

Generated at 2022-06-06 16:41:58.032173 UTC from https://github.com/grahamc/r13y.com.