[willlll]

If there is something like heartbleed that needs to update a common dependency, how does NixOS deal with that? Do you need to rebuild everything that uses that dependency, instead of just changing the shared library on a more traditional os?

[kibwen]

Yes, but that's not a problem. In traditional systems the reason to avoid rebuilding everything isn't because it takes time (it does, but not that much time); the reason to avoid rebuilding everything is the fear that, halfway through rebuilding everything, you'll discover that some shared lib is missing, or some crucial toolchain has been uninstalled, or that some updated packages rely on incompatible versions of the same dependency, and it turns into a nightmare of toolchain and dependency resolution, leaving your system in a half-upgraded mess. But if the promise of Nix is true, then that's no longer possible; you rebuild everything, all the dependencies work out fine, and you go on with your day.

[catern]

Yes - same as with containers.

[ParetoOptimal]

In practice you'll hit a binary cache or build once, push to your cache, then subsequent builds hit cache.