How do i query the nix store for all packages i have built myself

davidak · May 9, 2022, 12:13am

I want to have all store paths that i have built myself and not downloaded from Hydra or other substitutors.

Best would be if i can filter it to only contain packages and not sources, configs or tests.

I would like to submit those to Trustix.

Atemu · May 9, 2022, 6:54am

Does the Nix database store the source of an output path (substitute vs. build)? That’s the only place I could imagine sourcing this information from, otherwise any output path is the same.

If this isn’t available, your only bet would be to set up a quick script to hash output paths and compare them with the cache.

trofi · May 9, 2022, 8:00am

Not an expert on nix store, but i think ultimate signature means it was built on your machine:

$ nix path-info -r  --sigs /run/current-system | fgrep ultimate
/nix/store/s0niplml4flh94q36lkdllb87xk4r4ly-etc-lvm.conf                                        ultimate
/nix/store/sb92hx576xlhjz607nz433w3hilljhrl-lightdm.pam                                         ultimate
/nix/store/swc0x2yrmr3pq3j1i0aw62i8h6s0025g-etc-lsb-release                                     ultimate
...

Fetching all local paths:

$ sqlite3  /nix/var/nix/db/db.sqlite 'SELECT path FROM ValidPaths WHERE ultimate IS NOT NULL;'
...
/nix/store/79rsmykdc1hyi64zxrs4dzyy903b5gdn-perl5.32.1-System-Command-1.121
/nix/store/s3ndlkaipad43jxqjy4qpzfshlj4z2c2-gperftools-2.9.1
/nix/store/rzn5jv1xxxxwdgmjl0hasvzcjxsdk98m-source-highlight-3.1.9
/nix/store/bjpjfa5vqkfj9r5q90n6fkjqqw7cfal7-source-highlight-3.1.9-dev
/nix/store/0vjjja86iwc21244573a79xr5w14hg7s-asciidoc-9.1.0

Atemu · May 9, 2022, 8:14am

That seems to be the case; substituted paths are signed by the NixOS cache.

trofi · May 9, 2022, 8:29am

To add a bit of color to it: looking at nix/local-derivation-goal.cc at 059ae7f6c4b491d728714207c082a03d94c06744 · NixOS/nix · GitHub ultimate is not mutually exclusive with other signatures (local or remote):

# fetch from cache:
$ nix build -f '<nixpkgs>' lv
$ nix path-info --sigs ./result
/nix/store/0ip5dpkj6lmv2xcixnfkkmxf966vqjz0-lv-4.51     cache.nixos.org-1:5w80DSCt49gaSBEM9TO0X3HCABmdbVjzTcBE43ULYrXODgkaiI/gkOiGrLG6ng7Oq63DsfWsAt2m66snitbDBA==

# build locally
$ nix build -f '<nixpkgs>' lv --rebuild
$ nix path-info --sigs ./result
/nix/store/0ip5dpkj6lmv2xcixnfkkmxf966vqjz0-lv-4.51     ultimate cache.nixos.org-1:5w80DSCt49gaSBEM9TO0X3HCABmdbVjzTcBE43ULYrXODgkaiI/gkOiGrLG6ng7Oq63DsfWsAt2m66snitbDBA==

Note that up to just cache.nixos.org-1 signature one more was added: ultimate. Depending on what you’d like to achieve you might need to filter some cases out.

davidak · May 9, 2022, 9:27am

yes, that is true

github.com

NixOS/nix/blob/c000cec27fcb16548606830410be265eb082f777/src/libstore/path-info.hh#L39-L41

    
      
          /* Whether the path is ultimately trusted, that is, it's a
             derivation output that was built locally. */
          bool ultimate = false;

So to get all local built store paths:

nix path-info --all --sigs | fgrep ultimate | awk '{print $1}'
/nix/store/00fncjc1nkrmxady649f4pl5fnv6cmc4-cli-3d22a24
/nix/store/1sc7ngvs8xlgfimxggc8x7dyv14pcp2z-unit-dbus.socket
/nix/store/5wr912j78swlicllrbw2l4p7y1z1qyfs-gsignond-with-plugins-1.2.0
...

Many config files are less than 1KB, many service files are between 1 and 4KB, everything above is mostly packages and sources.

We can also remove paths with known endings we don’t want.

So here we go:

nix path-info --all --sigs --size | fgrep ultimate | awk '{ if ($2 > 4000) print $1}' | sed -E '/.*\.zip$|.*\.gz$|.*\.tgz$|.*\.bz$|.*\.xz$|.*\.deb$|.*\.conf$|.*\.target$|.*\.socket$|.*\.timer$|.*\.pam$|.*\.json$|.*\.patch$|.*\.service$|.*-etc$|.*-nixos-system.*$|.*-system-units$|.*-user-environment$|.*-etc-environment$|.*-env$/d'
/nix/store/00fncjc1nkrmxady649f4pl5fnv6cmc4-cli-3d22a24
/nix/store/5wr912j78swlicllrbw2l4p7y1z1qyfs-gsignond-with-plugins-1.2.0
/nix/store/9id0c5lv279p9lkxhpzgfg5x7na5q40n-nixos-install
...

Thank you!