NixOS Reproducible Builds: minimal ISO successfully independently rebuilt

Rebuilding the minimal ISO from source is an impressive milestone on the journey to a system that builds from source reproducibly. Guix had an orthogonal but equally impressive milestone on the same journey recently[0], bootstrapping a full compiler toolchain from a single reproducible 357 byte binary without any other binary compiler blobs. These two features may one day soon be combined to reproducibly build a full distribution from source.<p>[0] <a href="https:&#x2F;&#x2F;guix.gnu.org&#x2F;en&#x2F;blog&#x2F;2023&#x2F;the-full-source-bootstrap-building-from-source-all-the-way-down&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;guix.gnu.org&#x2F;en&#x2F;blog&#x2F;2023&#x2F;the-full-source-bootstrap-...</a>

Stupid question as I never worked on something like this before: why isn&#x27;t reproducibility the default behavior?<p>I mean if 2 copies of a piece of software were compiled from the same source, what stops them from being identical each and every time?<p>I know there are so many moving parts, but I still can&#x27;t understand how discrepancies can manifest themselves.

Sorry for being dense, but I thought one of the main reason for nixos&#x27;s existence is reproducibilty. I thought they have these kinds of things solved already.<p>I have only ~2 hours experience with Nixos, wanted to try hyprland, I thought it would be easier on Nixos since hyprland needs a bit of setup and maybe it&#x27;s easier to use someone else&#x27;s config on nixos, than on some other distro. Finding a config was hard too, found like 3 on some random github gists, thought there would be more... and none of them worked, at that point I gave up.

For those wondering : it should be remembered that the reproducibility of Nix &#x2F; NixOS &#x2F; Nixpkgs is only a reproducibility of the sources: if the sources change, one is warned, but it is not a question of the reproducibility of the binaries (which can change at each build). This binary reproducibility of Nix &#x2F; NixOS &#x2F; Nixpkgs is indeed not really tested, at least not systematically.<p>Guix, Archlinux, Debian do the binary reproducibility better than Nix &#x2F; NixOS &#x2F; Nixpkgs.<p>Sources :<p>- <a href="https:&#x2F;&#x2F;r13y.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;r13y.com&#x2F;</a> ( Nix* )<p>- <a href="https:&#x2F;&#x2F;tests.reproducible-builds.org&#x2F;debian&#x2F;reproducible.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;tests.reproducible-builds.org&#x2F;debian&#x2F;reproducible.ht...</a> ( Debian )<p>- <a href="https:&#x2F;&#x2F;tests.reproducible-builds.org&#x2F;archlinux&#x2F;archlinux.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;tests.reproducible-builds.org&#x2F;archlinux&#x2F;archlinux.ht...</a> ( Archlinux )<p>- <a href="https:&#x2F;&#x2F;data.guix.gnu.org&#x2F;repository&#x2F;1&#x2F;branch&#x2F;master&#x2F;latest-processed-revision&#x2F;package-reproducibility" rel="nofollow noreferrer">https:&#x2F;&#x2F;data.guix.gnu.org&#x2F;repository&#x2F;1&#x2F;branch&#x2F;master&#x2F;latest-...</a> (Guix, might be a bit slow to load, here is some cached copy <a href="https:&#x2F;&#x2F;archive.is&#x2F;lTuPk" rel="nofollow noreferrer">https:&#x2F;&#x2F;archive.is&#x2F;lTuPk</a> )

I find it funny(ironic) that the OpenBSD project is trying hard to go the other way, every single install has unique and randomized address offsets.<p>While I understand that these two goals, reproducible builds and unique installs, are orthogonal to each other, both can be had at the same time, the duality of the situation still makes me laugh.

Now if only they would have maintainers sign packages like almost every other linux distribution has done since the 90s, so we have any idea if the code everyone is building is the same code submitted and reviewed by known individuals.<p>Until signing is standardized, it is hard to imagine using nix in any production use case that protects anything of value.

Very impressive milestone, congrats to those who made this possible!<p>&gt; [...] actually rebuilding the ISO still introduced differences. This was due to some remaining problems in the hydra cache and the way the ISO was created.<p>Can anyone shed some light on the fix for &quot;how the ISO was created&quot;? I attempted making a reproducible ISO a while back but could not make the file system create extents in a deterministic fashion.

Don&#x27;t you have to fake the system time to do this? The time often ends up inside the binaries one way or another.

Wouldn&#x27;t this help solve the problem Ken Thompson wrote about in &#x27;reflections on trusting trust?&#x27; If you can fully bootstrap a system from source code then it&#x27;s harder to have things like back-doored compilers.

I&#x27;ve lived in the Red Hat ecosystem for work recently. How does this compare to something like... Fedora Silverblue? Ansible? Fedora Silverblue + Ansible?

I love that there are people out there who cares about things like this.