[tombert]

Flakes definitely help with the giant megarepo annoyances of NixOS, though they're still a little irritating. If you are writing in a languages that doesn't hasn't had its packages directly integrated into the build system (like Python's has), it can be really irritating to do anything with them, since the `nix build` command disables network access and you therefore cannot use regular package manager.

I'm doing a project in Julia, and I'm using Nix Flakes to do it, but it's been immensely annoying to actually get that working [1]. As a result, I've had avoid using the `nix build` command entirely (though the flakes are still useful for the `nix develop` command).

All that said, do you plan on having Brioche work with reproducible builds, and if so do you have a plan to make what I mentioned a bit less irritating?

[1] I know Julia2Nix exists, and I have never managed to actually get that working on any platform.

[kylewlacy]

This was one of my bigger pain points with Nix as well: there was a lot of "reinventing the world" just to avoid network access. With Brioche, I stuck with disabling network access by default, but there's an escape hatch to specifically opt-in to networking (by calling `.unsafe({ networking: true })` on a process recipe). My thoughts are that Cargo, NPM, Poetry, etc. have all done a great job building amazing tooling to download and verify resources from the network against a lockfile, and I wanted to be able to leverage as much of that as possible. So, for example, `npm clean-install` will give you more-or-less the same guarantees that Nix does, so my thought was as long as it's encapsulated properly, I'd rather lean on existing tooling (that's also why I used the term "unsafe", you need to make sure you only access the network with tools that do sufficient verification!)

I've generally stayed away from using the term "reproducible build" when talking about Brioche, because I don't feel like it fits the reproducible-builds.org definition (though I don't think Nix does either). But, if a build is cached locally or in the registry, then you're guaranteed to get the same result, since it'll just re-use the cache

The sandboxing also gives pretty strong guarantees around hermetic builds[1]. So I think you could do reproducible builds _within_ Brioche (and I'd like to add tools to make this even easier), but I'd say Brioche itself doesn't give you reproducible builds out of the box

[1]: https://bazel.build/basics/hermeticity

[tombert]

That's actually really great to hear! I might need to play with this tonight then.

It looks like the project files aren't radically dissimilar to Flakes, so I think you're really on the right track for making something that could be really useful for a lot of people. Great work!

[fire_lake]

> have all done a great job building amazing tooling to download and verify resources from the network against a lockfile

This is a bad assumption

[YuukiRey]

If the underlying package eco system is a mess then it’ll also be a mess in Nix. To this day Nix doesn’t really have a good answer to Python or JavaScript packaging.

If the underlying package manager is good (Rust, Go) then there’s just no need to reinvent the wheel.

[IshKebab]

Why? Are you referring to the fact that it's opt-in; you have to use `cargo build --locked` or `npm ci`?

[bavarianbob]

I interpreted the parent to mean that it might not be fair to assume existing package managers have done a _great_ job at downloading and verifying, especially verifying, resources from the network. There are businesses that exist attempting to solve this problem like socket.io. Safely installing the correct dependencies for a project is still not a guarantee from any of the major package managers.

[forgotpwd16]

>`nix build` command disables network access

Only if building with sandbox enabled. Can disable it if network access is required. Seems someone opened an issue asking[1] for granular permissions (explicit network restriction) but has been marked as stale. In same issue someone else has made comment providing an hybrid approach.

Since you mentioned Julia, it's possible to build Julia environments (with arbitrary packages) using the `.withPackages` function. E.g. `julia.withPackages ["Plots"]`.

[1]: https://github.com/NixOS/nix/issues/4584

[tombert]

I didn’t realize that. I will give that a look.

[Filligree]

Instead of disabling it completely, you can set it to 'relaxed'. That still allows network access, but maintains the other isolation guarantees.

Obviously this introduces a potential impurity. I use it for installing NeoForge into a minecraft server derivation; the downloaded files could change behind my back, but so long as the version doesn't change it should still be compatible. It hasn't yet caused trouble.

NixOS has a lot of escape hatches once you look around, and you shouldn't be afraid to use them. The downside of impure derivations aren't quite as bad as not-using-derivations, anyway.

Another option is to declare it as a fixed-output derivation, in which case network access is enabled by default. This doesn't work for most installers, though; at a minimum you'll need to delete logfiles that might contain timestamps.

[Rucadi]

If you mark a derivation as impure with __impure=true; and activate "ca-derivations flakes nix-command" as experimental features, you can access the internet.

I agree sometimes is a pain tho.

But most of the time, If you need internet access, if you can specify the "hash" of the result file, anything that you do to achieve that file can have internet access.