|
|
|
|
|
|
by c0balt
491 days ago
|
|
|
> You also couldn't feasibly do that for derivations that actually build packages, [..] you would have to update all of the affected hashes. You can actually, changes to stdenv are possible and "just" a lot of work. You will regularly see them between releases or on unstable and they cause mass rebuilds. This doesn't just affect a compiler but also all stdenv tooling as these changes tend to cause rebuilds across nixpkgs. This would be verifiable but it obviously multiples the amount of compute spent. Hint: If you look at PRs for nixpkgs you will notice labels indicating the required amounts of rebuilds, e. G., rebuild-darwin:1-10. See for example https://github.com/NixOS/nixpkgs/pull/377186 with the rebuild-darwin:5001+ label. |
|
|
What works better is keep track of those hashes as part of the signatures, which is already happening. There's a lot of interesting things that can be done with that kind of information, I'm one of the people working on that kind of stuff.
Basically I have a paper out about how verifiable and reproducible can come together like that in Nix:
https://dl.acm.org/doi/10.1145/3689944.3696169