NixOS Reproducible Builds: minimal installation ISO successfully independently rebuilt

With 25.05 out, it’s time for an update!

TL;DR: we’re doing better than a year ago

Reproducing the minimal ISO

Some of the workarounds above are no longer needed, so the process has become simpler:

Starting the NixOS 20.03 VirtualBox applicance in qemu:

$ tar -xvf ~/Downloads/nixos-20.03.1405.a17e021b948-x86_64-linux.ova
$ qemu-img convert -f vmdk -O qcow2 nixos-20.03.1405.a17e021b948-x86_64-linux-disk001.vmdk rb.qcow2
$ qemu-img resize rb.qcow2 120G
$ qemu-system-x86_64 -m 18432 -smp 16 -cpu host -enable-kvm -drive file=rb.qcow2

Then inside the vm:

# Fetch the build definitions
$ nix-shell -p git
$ git clone https://github.com/nixos/nixpkgs
$ cd nixpkgs
# build the Nix version to build Nix with
$ git checkout 8e8f31731938
$ nix-shell -p nix -I nixpkgs=/home/demo/nixpkgs
# build the Nix version to build the ISO with (with binary cache disabled)
$ git checkout 7848cd8c982f
$ nix-shell -p nix -I nixpkgs=/home/demo/nixpkgs --option substitute false
# perform the iso build (with binary cache disabled)
$ nix-build nixos/release-combined.nix -A nixos.iso_minimal.x86_64-linux --option substitute false --max-jobs 6 --arg nixpkgs "{ revCount = 802674; shortRev = \"7848cd8c982f\"; rev = \"7848cd8c982f7740edf76ddb3b43d234cb80fc4d\"; }" --arg stableBranch true

This produced an iso with sha256sum a11d65b2944ceef0dd783524e1c4cdc21cc3f47cfc0879431bf49751213b4bb8, which matches what was built on Hydra (hit ‘details’ or download the iso and see for yourself).

Limitations

This result greatly improves our confidence that the binary cache has not been tampered with. However, before we can say the ISO has been “fully reproduced” from source, we must still verify if there are any packages in this set that rely on binary upstream releases instead of building from source.

Where to from now?

Further plans:

• Continue fixing known nondeterminisms, notably working towards making the Graphical ISO reproducible as well
• Continue on hash collection
• Set up infrastructure so that we can regularly independently rebuild artifacts, instead of ‘one-off’ checks like this.
• Flag which derivations still depend on a binary upstream release instead of being built from source

Want to help?

• Join us at #reproducible-builds:nixos.org
• Check out the GitHub project board
• Check out lila
• Check out the NixOS Reproducible Builds website: