NixOS Reproducible Builds: minimal installation ISO successfully independently rebuilt

Announcements
9

With 24.05 out, it’s time for an update!

TL;DR: we’re doing better than half a year ago :smiley:

Reproducing the minimal ISO

Some of the workarounds above are no longer needed, so the process has become simpler:

Starting with a fresh VirtualBox appliance with NixOS 20.03 (adding plenty of CPU and memory, and resizing the disk to about 65G via File->Tools->Virtual Media Manager), I followed:

# kvm workaround, can be dropped when we have 2.20.0 which fixes https://github.com/NixOS/nix/issues/9251:
sudo touch /dev/kvm
sudo chmod a+rwx /dev/kvm
# Fetch the build definitions
nix-shell -p git
git clone https://github.com/nixos/nixpkgs
cd nixpkgs
git checkout 2819fffa7fa4
# build the Nix version to perform the iso build with
nix-shell -p nix -I nixpkgs=/home/demo/nixpkgs --option substitute false
# perform the iso build
# (631440 is 630170+1270, see https://github.com/NixOS/nixpkgs/blob/869cab745a802b693b45d193b460c9184da671f3/nixos/release.nix#L15)
nix-build nixos/release-combined.nix -A nixos.iso_minimal.x86_64-linux --option substitute false --max-jobs 6 --arg nixpkgs "{ revCount = 631440; shortRev = \"2819fffa7fa4\"; rev = \"2819fffa7fa42156680f0d282c60d81e8fb185b7\"; }" --arg stableBranch true

This surfaced some more problems (around grub2, syslinux and refind), but after fixing those produced an iso with sha256sum e56eae863d96e7b81819e720afef8e05a6d8838b02455709b3681553707f93a4, which matches what was built on Hydra (hit ‘details’ or download the iso and see for yourself).

Where to from now?

In 23.11 ‘Where to from now?’ section, we identified a number of next steps:

  • We indeed could remove some of the workarounds.
  • We made some good improvements to the reproducibility of the Gnome ISO, but are not there yet
  • @JulienMalka and me have started work on infrastructure to share and report on build attestations, lila

Further plans:

Want to help?

16 Likes