NixOS has one fatal flaw

Nix is hard in the way that programming is hard. Not everyone gets over the activation energy to be successful. The ones that do don&#x27;t regret the effort. Nix is complex because the problems it solves are high complexity problems that other systems don&#x27;t solve. Docker is not a substitute for Nix.<p>The solution isn&#x27;t to use a weaker tool, because the weaker tool doesn&#x27;t solve your problem. It&#x27;s not uncommon to see a programmer use a spreadsheet, but you wouldn&#x27;t expect to see a programmer use a spreadsheet where a database is needed. And you don&#x27;t see people trying to use garbage-collected languages to write operating systems, even though they are easier to use than C. It&#x27;s perhaps inefficient when a tool is too powerful for what you need, but it&#x27;s a fatal flaw if the tool you use is too weak for what you need.<p>Nix let&#x27;s you control your dependencies in a way no other tool even attempts. I can pin and patch any combination of dependencies, even conflicting ones in single environment, with reproducible builds— I&#x27;m in control of every detail. I would never consider a downgrade from that, but I&#x27;m open to upgrades if something even more capable came along.

&lt;quote&gt;<p>1. Docker Build<p>2. Docker Run<p>3. Docker Hub<p>Nix solves the last two.<p>Nix solves packaging your application and its dependencies better than Docker does!<p>&lt;&#x2F;qoute&gt;<p>What am I missing? They just said that Nix solves the last two and the first one better than docker does.<p>&gt; Running your container in a secure, multi-tenant fashion is definitely one of the problems Docker solves<p>Docker does not solve anything related to a secure multi-tenant environment. Docker can provide isolation between mostly trusted parties. Anything running on the same kernel must not be considered securely isolated.<p>So since I&#x27;m not getting security anyways running services in Nix is simple and provides the isolation that I care about. Applications aren&#x27;t going to accidentally break each other or cause dependency hell. I can use UNIX users if I want or even use simple containers like systemd-nspawn. But none of these are secure.<p>I agree that Docker provides nice UX, that is why it won. It made it easy to get something that works and can run fairly reliably across machines. It has flaws, especially reproducibility, but it works and is relatively easy to understand.<p>I sometimes wonder if the Nix stdenv does too much. It is optimized for running configure and make for you but ends up being a lot of complexity that most people don&#x27;t need with different phases and hooks. If you just use `pkgs.runCommand` you actually get a very simple docker-like experience where you just run commands and copy your build result to the output directory. Plus there is no messing around with build images vs output images to get small results.

The main thing that made understanding the language much easier was the realization that you arent actually looking at imperative commands. Nix is just a big lazily-evaluated JSON blob. All of the language is just commands to manipulate the values of that JSON. Once you understand that, I think its more straightforward (except some funky syntax like `&#x2F;&#x2F;`)

My biggest frustration with Nix is the lack of typing. Writing anything more than the basics, I feel like I quickly run into an issue of not being able to reason easily about what structures I&#x27;m manipulating, and I haven&#x27;t gotten very far by trying to lean on the editor I&#x27;m using either.

Something will evolve from that space which doesn&#x27;t have the flaw. Whether that thing will be called Nix or not, I don&#x27;t know. I think that means that it&#x27;s not a fatal flaw, it&#x27;s just a regular flaw.

Docker is easy to use because it leverages something that most programmers already know - how to run commands in the shell.<p>Writing a Dockerfile is mostly just figuring out which commands you need to execute, and writing them down.<p>Writing a Nix package is mostly just scratching your head at incomplete documentation, and hanging out at Nix IRC channel hoping someone will help you.

&gt; I think I understand Nix, too.<p>I don&#x27;t think so, not from what I&#x27;m reading. Not fully. Just comparing with Docker is a sign of limited understanding. Nix is not really a Docker competitor. You can run Nix stuff in a Docker, and it can build you a docker container image as well. Orthogonal. It&#x27;s just so happen that basic applications of Nix overlap with what Docker is often used for, so comparing the two might seems natural. But Nix is more and more fundamental: Nix is a shared language for software composition. Nix creates a Linux OS for me, prepares custom ISO with my fav. stuff built-in, prepares my home dir, maintains my servers, configures services I use, makes me a dev environment I can share inside my project, future-proofs ad-hoc scripts I wrote, builds me docker containers, builds rpm&amp;debs, makes me cross-compiling toolchains, and so much more.<p>Anyway, Nix does have an usability problem, but it&#x27;s not fatal.<p>It&#x27;s not worse than usability of e.g. git, or even usability of Docker.<p>Yeah. Docker. People now consider Docker a bread and butter of SWE, but there are still plenty of people that don&#x27;t know how to use it, or need lots of help using it, and not much more than 5 years ago you&#x27;d have to drag your team and explain to everyone why it&#x27;s beneficial to use it. And when things go south it takes quite a bit of understanding of the under-the-hood machinery to figure things out.<p>And there are plenty of devs who know like 5 commands to handle git + github UI and when anything goes wrong need help. And people complain about UX of git every week on HN.<p>Usability is 90% familiarity. Once you have enough people who know X well, they help people who don&#x27;t and live goes on.<p>Once you build a good mental model of Nix, it&#x27;s actually very simple, elegant, natural and very usable. The error messages and other-UX-stuff sometimes suck, but it&#x27;s surface level and fixable (thought requires lots of dev work).<p>At this point I can&#x27;t even imagine working without Nix, and giving up on things it allows me to do. It&#x27;s really like a super-power. And it&#x27;s been a great accelerator for teams and project I&#x27;ve introduced it to. I could maybe see something even better just replacing it, but once you really get Nix, there&#x27;s not going back.

It&#x27;s not exactly a 1:1 comparison, but NixOS&#x27; tight and extremely simple integration with systemd and podman has made NixOS native containers a pleasure to work with. OP seems to maybe not be aware of them?

I get very similar vibes to early Docker as I do about Nix today: it requires doing things very differently, is difficult ramp up on because of that, but those who pay the cost to invest the time are gaining an advantage now by their ability to do dazzling things by adopting early.

(Context: I&#x27;m pretty thick into Nix, and have been for about four years. Most of this post is focussed on the NixOS desktop experience, so DevOps nerds, ymmv.)<p>Unpopular opinion: Nix is not that hard.<p>What&#x27;s &quot;hard&quot; from a nix-promotion strategy is motivating people to understand why they would want the benefits it offers. Mostly because Nix, especially with home-manager, dramatically <i>worsens</i> UX for several day-to-day tasks, simply by violating the Law of Least Surprise every couple of hours in normal use.<p><i>I</i> want a fully idempotent, version-locked, rewindable user environment, with a version-controlled central config, because I have half a dozen devices that, for reasons, I need to keep perfectly interchangeable with one another. <i>Most users</i> do not want this, for the simple fact that <i>mutating their configs and differentiating them locally on specific machines</i> is not a bug, but a feature.<p>Even more than that, it&#x27;s an expectation that most software developers share as well.<p>Case in point: I filed a bug against the GitHub CLI last week. If any org has the scope and motivation to build software that&#x27;s compatible with NixOS, an OS most of whose users are developers, it should be GitHub, which is, at least notionally, all about developers, developers, developers. A change in GH required a config format migration, which was sensibly done by opening the config .yml and rewriting it.<p>Of course, this breaks NixOS not just in practice but in principle. NixOS&#x2F;home-manager makes config files read-only. Surprise! <a href="https:&#x2F;&#x2F;github.com&#x2F;cli&#x2F;cli&#x2F;issues&#x2F;8462">https:&#x2F;&#x2F;github.com&#x2F;cli&#x2F;cli&#x2F;issues&#x2F;8462</a><p>The response from GitHub was basically, &quot;yeah, we knew this was going to happen, we mentioned it to the packagers at NixOS, but we did it anyway, because it was still the best way to proceed for us.&quot; (And they weren&#x27;t wrong.)<p>Now, once a month is an annoyance, but I run into these problems daily. I can&#x27;t imagine any sane person -- which I am <i>not</i> -- would persist with using it.<p>Why do I keep using NixOS, then? Because I am terribly and disproprotionately annoyed by small changes in my user experience, which I find disruptive to my workflow and hence threaten my success. For me, forbidding apps from mutating the config files I established for them is a selling point. Being able to version-control an idempotent declarative config for <i>all of them at once</i> is heaven.<p>Unless you&#x27;re like me, you&#x27;ll hate NixOS. But some were meant for Nix.

Unfortunately if you don&#x27;t have a pure language, the benefits of nix disappear and you&#x27;re back in sad imperative land. I&#x27;m a nix language fan. The main mistake is lack of typing and debuggability (esp for recursion). The syntax is intuitive

I find Nix to be very usable. People expect to be able to learn things without trying nowadays.

If everything in the world had to be &#x27;easy&#x27; then no one would be able to ride a bicycle or play a violin. Some tools require expertise to master and the pay-off is worth it. I don&#x27;t go around complaining that violins are too hard.<p>I think of Nix(OS) as a reproducible build system attached to an operating-system linker. It eliminates entire classes of bug reports because (almost) every issue is fully reproducible. If you&#x27;d prefer to keep shipping massive binary blobs of gunk around in container images then you have only yourself to blame when things get weird and no one understands what&#x27;s in the image.

Personally it&#x27;s harder to reason about systems where you define the desired state and it magically happens, this includes functional languages.<p>I have no idea why people think that is better. I always want to command the system and be able to understand the processes it will undergo to implement that change. Even if it is reliable, it&#x27;s difficult to understand or be confident in a system whose inner workings feel like a black-box.

Comments here arguing about functional languages etc. really miss the point from my experience. The usability issues for me were:<p>- The Nix homepage didn&#x27;t explain the actual benefit of using Nix.<p>- Different introductions recommending vastly different ways of getting started. E.g. flakes vs non-flakes.<p>Even now, the homepage is bad:<p>&gt; Nix is a tool that takes a unique approach to package management and system configuration. Learn how to make reproducible, declarative and reliable systems.<p>First sentence tells me nothing. Second sentence doesn&#x27;t differentiate it from Docker.<p>This is, I believe, the fatal flaw of Nix: the developers just don&#x27;t get how to present something that is accessible to users who are not deeply invested in the system. I don&#x27;t care what language Nix is written in. I understand it&#x27;s bad for various reasons (and I&#x27;m a fan of programming languages and I would probably agree with the reasons) but as a user I just want the equivalent of installing software, configuring it, and rolling back if things are messed up. If I can&#x27;t do that in a few expressions or commands or whatever, I&#x27;m not interested. I don&#x27;t care about flakes vs whatever. In fact I don&#x27;t care about flakes at all. I want to type `nix do-the-thing-I-am-actually-interested-in` and have it Just Work.

There needs to be two levels of configuration.<p>One is just straight up a config file and the other is the nix language.<p>Average users should not need to ever touch the nix language. They should only touch a config file.<p>This config file needs to be so simple that it Can be configured with a GUI. Isomorphic configs when run with a formatter should come out identical. What I mean by this is if you have a machine with say version 3.123 of an app installed there is only one possible config file that can describe this configuration. There shouldn&#x27;t be 50 possible ways to program that same configuration.

My personal take is that functional languages are fine if users don’t have to touch them, but will prevent a product from reaching critical adoption if users are facing them directly.

I really really like the idea of idempotent declarative config that eliminates ever having to imperatively touch a server.<p>I really like Nix, it&#x27;s in fact the only non-debian distro I&#x27;ve liked so far.<p>But Snap+Ansible is Good Enough, until Nix gets usability figured out and it becomes a bit more commonly known.

Is usability really just <i>one</i> flaw, like, could we get some usability experts to sit down with it for a couple months and then it&#x27;s perfect?

in this thread: people who is still learning nix, or people who barely got hooked on nix. and lastly people who looked at nix and didn&#x27;t like it.<p>absent: everyone who understand the finer details on software packaging and already implemented different trade-offs than nix