[soraminazuki]

> Main reason for leaving was that Nix package maintainers have to heavily patch all software.

Any widely used distros do this. Plus, the statement that you have to patch all packages is false. In many cases, all you have to do is set the right build flags and environment variables, which is handled by standard helpers in nixpkgs.

I'd also like to add that nixpkgs has the most extensive testing for packages compared to any other distros I've seen.

> Packaging for nix is more like porting software to another operating system.

Dramatic, but again, simply not the case.

> note that they have automated tools for patching the most common problems, so the problem is even worse.

This is a good thing. Manual patching for the most common problems isn't sustainable, especially if you maintain a large number of packages. Just ask packages maintainers of any major distros.

> I was able to merge some pretty large patches to nix-packages from an anonymous and sketchy-looking github account, and they weren't scrutinized much

All packages in nixpkgs has a mandatory review process as you should very well know. As scary as you make it sound, I'm pretty sure at least one committer have taken a look at your code to see if there was anything malicious in it.

> Moreover, Nix breaks the chain of trust for the language packages.

After a quick look, it seems like you can still use the unmodified erlang package manager? The patched version you've mentioned seems to be there for facilitating creation of Nix packages and it looks like the main intent was to remove the ability to download packages from the internet. If this is the case, it wouldn't be a security problem at all because the dependencies would have to be prefetched and their hashes precomputed.

> /nix directory is readable by all users, so you cannot use Nix to manage secrets

Why not store secrets in a private location, just like you would on any other distros??? What is it that other distros have that Nix is missing? I'm not seeing your point here.

With that being said, note that this feature is being worked on, and systemd very recently introduced a new feature for secrets management [1].

> You cannot install opam packages without dealing with incompatiblities, you cannot easily install games from Gog without dealing with incompatibilities

Matbe take a look at buildFHSEnv.

> do you really need such degree of reproducibility for your very own dev machine?

Yes, it saves me from having to do a clean install of my system every few months. I haven't done a clean install at all the last few years since I started using NixOS.

[1]: https://github.com/NixOS/rfcs/pull/59#issuecomment-624723733

[k32]

> Any widely used distros do this.

I've yet to encounter another distro that deliberately breaks 3rd party software the way Nix did it to rebar3 (before it was reverted).

> Plus, the statement that you have to patch all packages is false.

IIRC `patchShebangs' script runs for any package using stdenv.

> I'd also like to add that nixpkgs has the most extensive testing for packages compared to any other distros I've seen.

Which distros? Can you share a comparison in number of tests/coverage?

> Dramatic, but again, simply not the case.

As other commenters mentioned, software written for GNU\Linux often assumes FHS. NixOS breaks FHS, and has to patch soft to work around that.

> This is a good thing.

How so?

> This is a good thing. Manual patching for the most common problems isn't sustainable, especially if you maintain a large number of packages. Just ask packages maintainers of any major distros.

Other major distros don't break FHS, therefore they don't need to patch trivial things like shebangs.

> All packages in nixpkgs has a mandatory review process as you should very well know. As scary as you make it sound, I'm pretty sure at least one committer have taken a look at your code to see if there was anything malicious in it.

It depends on your threat model. Mine is stricter.

> If this is the case, it wouldn't be a security problem at all because the dependencies would have to be prefetched and their hashes precomputed.

Once again, it breaks the cryptographic chain of custody set by the upstream. In my threat model that's not acceptable. I tend to trust the upstream more than the distro.

> Why not store secrets in a private location, just like you would on any other distros???

Secret provisioning is by far the most difficult DevOps problem, and it can go catastrophically wrong for all too many reasons. Nix not only doesn't help, but also introduces additional footguns with world-readable configuration files.

> What is it that other distros have that Nix is missing?

Other distros have FHS. FHS accounts for secret management, among other things.

> Yes, it saves me from having to do a clean install of my system every few months.

Ok, though I never had to do a clean install of GNU\Linux either on my dev machine.

[aidenn0]

The fact that they reverted the rebar change suggests that or wasn't intentional.

[soraminazuki]

> I've yet to encounter another distro that deliberately breaks 3rd party software the way Nix did it to rebar3

Except that your anecdote is completely misleading given that the patched version was intended for creating Nix packages. You could've just used the unmodified version instead.

Furthermore, upstream developers complain about how distros are breaking their software all[1] the[2] time[3]. Again not a Nix specific problem. Nix even alleviates some of the problems because you can use different versions of the same software, meaning that different packages don't have to share dependencies as aggressively as other distros do.

> Which distros? Can you share a comparison in number of tests/coverage?

Arch, Debian, CentOS, and Homebrew, though the last one isn't strictly a Linux distro. I can't possibly count the numbers given that the sheer number of packages available, so it's based on experiences at looking at package definitions. I tend to check package definitions across distros a lot to write packages fir Nix.

> It depends on your threat model. Mine is stricter.

If you have a problem with software projects accepting outside contributions even if they go through review, you have a problem with using free and open source software in general. It makes me wonder how you even manage to use the Linux kernel.

> Once again, it breaks the cryptographic chain of custody set by the upstream. In my threat model that's not acceptable.

Then use the unmodified rebar3 for your project instead. But anyways, if your threat model involves not trusting SHA256, you likely have a problem with your said cryptographic chain of custody too.

> Nix not only doesn't help, but also introduces additional footguns with world-readable configuration files.

> FHS accounts for secret management, among other things.

That's an outright lie. NixOS doesn't prevent you from storing secrets in a file and applying your usual UNIX permissions. FHS has absolutely nothing to do with it.

[1]: https://github.com/pypa/pip/issues/5599 [2]: https://web.archive.org/web/20181021091049/https://github.co... [3]: https://twitter.com/videolan/status/1153963312981389312

[k32]

> Except that your anecdote is completely misleading given that the patched version was intended for creating Nix packages. You could've just used the unmodified version instead.

The package was called rebar3, not rebar3-nix or something. If the fork was called differently then no one would complain. Also this fork was based on hacks, like patching rebar3's internal files and messing with caches. If you don't see anything wrong about this, then this way of thinking just proves what I said in the parent.

But forking rebar3 wasn't needed at all, because rebar3 _already_ had all the features needed for Nix. Namely, it has get-deps command producing fixed output derivation, and it supports _checkouts directory, needed for hermetic build.

> Then use the unmodified rebar3 for your project instead. But anyways, if your threat model involves not trusting SHA256, you likely have a problem with your said cryptographic chain of custody too.

There's no reason to use SHA256, if you just replace it with a different SHA256 whenever it doesn't match with the upstream.

> Nix even alleviates some of the problems because you can use different versions of the same software, meaning that different packages don't have to share dependencies as aggressively as other distros do.

Docker exists. Although it's not perfect by any means, it doesn't require reinventing the entire world. I extrapolated my experience with Erlang to the rest of NixOS reinventions, which in theory could be wrong, but it was convincing enough for me.

> That's an outright lie. NixOS doesn't prevent you from storing secrets in a file and applying your usual UNIX permissions. FHS has absolutely nothing to do with it.

I was not talking about "storing secrets in a file", but rather about the whole live cycle of the secrets, including transferring them between parties, storing, provisioning, rotation, etc (imagine you have to solve a problem of changing some secret on 100 machines securely and reproducibly via blue/green deployment). As far as I know, Nix doesn't provide facilities for solving this problem at scale. I would be happy to be proven wrong.

> FHS has absolutely nothing to do with it.

It absolutely does. Some pieces of software look for secrets in /etc/ (Kafka, for example). When etc (or its analogue in /nix) is world-readable hilarity ensues.

[soraminazuki]

> The package was called rebar3, not rebar3-nix or something. If the fork was called differently then no one would complain.

First of all, the fork obviously isn't there for general consumption. You made it sound like unsuspecting users would use it and have unverified code downloaded on their machines, which is borderline false when it doesn't have the ability to download code from online sources. This attempt to mislead is what I'm having problems with.

Second, it would've been nice if you've raised an issue on GitHub and helped improve Nix instead of complaining and spreading borderline falsehoods on HN. Erlang isn't exactly a widely used language, so design choices would be made by the few who actually uses it. It would always help to have more productive input by actual users.

> Also this fork was based on hacks, like patching rebar3's internal files and messing with caches. If you don't see anything wrong about this, then this way of thinking just proves what I said in the parent.

Ranting about how "it's a hack!" based on cherry-picked implementation details isn't convincing at all. The intent here is to have a copy of rebar3 that builds packages from local sources only, for consumption by package maintainers. That's not by any means unreasonable.

> But forking rebar3 wasn't needed at all, because rebar3 _already_ had all the features needed for Nix.

Tell me a single major distro where it's okay to essentially redistribute packages from language-specific package managers without making huge adjustments in the way packaging is handled. I know of none. For countless software, distros just give up on packaging altogether because the effort required to make that adjustment can easily get out of hand. This is the major reason many Maven packages aren't packaged on Debian.

To make matters worse, many packages from languages-specific package managers won't even compile on major traditional FHS compliant distros. Changes to upstream packaging aren't unwarranted, however much you'd prefer to believe otherwise.

> There's no reason to use SHA256, if you just replace it with a different SHA256 whenever it doesn't match with the upstream.

The SHA256 would be verified by package maintainers, reviewers, and the hydra CI instance.

> Docker exists.

If you're against the concept of distro-provided packages, why didn't you say so upfront instead of making baseless accusations about what a horrible security disaster Nix is?

Also let me remind you that almost all Docker container images rely heavily on distro-provided packages. What are you going to do now?

> As far as I know, Nix doesn't provide facilities for solving this problem at scale.

Neither do other distros, though Nix is a close to having a built-in solution as I've just shown you.

> When etc (or its analogue in /nix) is world-readable hilarity ensues.

Why are you repeating this when I just told you it's not true? /etc in Nix is not world-readable, plain and simple. This works perfectly fine on my NixOS system:

    $ echo secret | sudo tee -a /etc/secret > /dev/null && sudo chmod 600 /etc/secret    
    $ cat /etc/secret
    cat: /etc/secret: Permission denied
    $ sudo cat /etc/secret
    secret

[k32]

> First of all, the fork obviously isn't there for general consumption.

I didn't know that when I installed a package called "rebar3" and spend some time trying to understand what's wrong with my build. Oh, my bad, should've known better that "rebar3" was for internal consumption, and I need to install "rebar3-open" instead.

> Second, it would've been nice if you've raised an issue on GitHub and helped improve Nix instead of complaining and spreading borderline falsehoods on HN.

Thanks for suggestion. I did exactly that, and I fixed this entire mess. In fact, the current NixOS Erlang infra is partially based on that work.

> Ranting about how "it's a hack!" based on cherry-picked implementation details isn't convincing at all.

I professionally work with Erlang, and I know what is hack and what is not.

> Tell me a single major distro where it's okay to essentially redistribute packages from language-specific package managers without making huge adjustments in the way packaging is handled. I know of none. For countless software, distros just give up on packaging altogether because the effort required to make that adjustment can easily get out of hand.

Language-specific packaging should be left to language-specific package managers, they have more domain knowledge. Nix doesn't solve this dilemma in any better way.

> Also let me remind you that almost all Docker container images rely heavily on distro-provided packages. What are you going to do now?

Keep on using it? Take systems software from the distro-provided packages, add my own stuff on top. Building RPM is a nobrainer. I was considering Nix as an alternative to our deploy process, but realized that it would introduce more problems than solve.

> /etc in Nix is not world-readable, plain and simple.

Please take a closer look at what you're quoting. You missed a very important part:

> (or its analogue in /nix)

You see, if I want to utilize Nix to full extend and use its main "reproducibility" feature, I need to put all my configuration in a derivation. Configuration includes secrets. Derivations are world-readable.

> Neither do other distros

Distros maybe don't, but "bug-ridden kludge that is Ansible" (according to Nix user) does.

[soraminazuki]

> Oh, my bad, should've known better that "rebar3" was for internal consumption, and I need to install "rebar3-open" instead.

If that was your problem, you should've said so instead of spinning it up into an entirely different security problem that plainly did not exist.

> Thanks for suggestion. I did exactly that

Except you didn't stop spreading falsehoods. You've spent more lines using your brand new HN account spreading lies about an open source project people have dedicated their free time into.

> professionally work with Erlang, and I know what is hack and what is not.

Fixating on hyper specific implementation details taken out of context without considering the design, intent, and usage is not what I call professionalism in the software industry.

> Language-specific packaging should be left to language-specific package managers, they have more domain knowledge.

Domain knowledge that fails to build or run portably even on widely used FHS-compliant Linux distros.

> Nix doesn't solve this dilemma in any better way.

I've already explained about the problems distro package maintainer faces and how Nix alleviates some of the problems which you then responded with a totally unrelated "Docker exists" nonsense.

> Take systems software from the distro-provided packages, add my own stuff on top.

So packaging problems won't exist if we just stick with Docker, but you would use distro packages to create a Docker image? How would that even work?

> Building RPM is a nobrainer.

Go tell that to RedHat maintainers.

> Please take a closer look at what you're quoting. You missed a very important part: > > (or its analogue in /nix)

/etc in NixOS is not /nix. It's /etc. Very important indeed.

> You see, if I want to utilize Nix to full extend and use its main "reproducibility" feature, I need to put all my configuration in a derivation. Configuration includes secrets. Derivations are world-readable.

You see, Please. Stop. Repeating. Lies.

You don't put secrets in a world-readable location, period. The typical Nix way of handling secrets is that you store in them in a secure path and point the configuration to that path.

> Distros maybe don't, but "bug-ridden kludge that is Ansible" (according to Nix user) does.

You can use numerous solutions that can work together with Nix. How about NixOps, which, among other things, handles secrets management? Or what about, say, Ansible? After all, any solution that would be able to send the Nix configuration, place secrets in a secure filesystem path, and run commands to build the Nix configuration would suffice.