Transforming global software distribution with Nixpkgs

fricklerhandwerk · May 30, 2025, 4:13pm

Hi everyone,

I’m excited to announce that the Sovereign Tech Agency decided to invest 230 000 EUR into improving global IT supply chain security, as well increasing sustainability and reducing tech debt around the Nix ecosystem! We had applied with a development program intended to address a number of known attack surfaces and bottlenecks by end of February 2026:

Improve CI performance and maintainability (@das_j @Conni2461)
Assert reproducibility of Nixpkgs source retrieval (@multivac61 @Mic92) and builds (@raboof @JulienMalka)
Reduce the amount of scripting in the NixOS boot process (@nikstur)
Improve Nix evaluator performance (@roberth)
Implement a “rootless” Nix daemon (@Ericson2314)

This presents a unique opportunity to have experts spend quality time on resolving difficult, long-standing issues, and reinforces the role of NixOS as a critical piece of digital infrastructure.

The Sovereign Tech Agency invests globally in open software components that underpin our digital infrastructure. Their investments scale across many sectors and benefit a broad range of users, directly enhancing productivity, sustainability, and capacity for innovation. Check out their other funded projects to see the broader impact they’re making in strengthening the open source ecosystem.

Background

Back in July 2024, a group of contributors came together to prepare a project application for the Sovereign Tech Fund, following our participation in the Contribute Back Challenge 2023.
After multiple revisions, we went through two iterations with the Sovereign Tech Agency to answer questions, adjust the proposal, and sign a contract.

I would like to thank everyone involved in making this possible, with special thanks to the NixOS infrastructure team (@hexa) and the NixOS Foundation board (@ron @edolstra) at that time.
Great many thanks to the Sovereign Tech Agency team for the trust put into the project team, and also to the giant Nix ecosystem contributor community on the shoulders of which this effort builds.

This announcement comes a bit late since we were first waiting for the contract to be official before talking about the outcome of the application in public, and then conflicting priorities on my end that delayed the write-up.

Progress so far

Some of us already met in March at Ocean Sprint 2025 to coordinate and prepare for the first milestones:

@multivac61 with support from @adisbladis scaffolded a tracking service for fixed-output derivations that you can now try out at https://fod-oracle.org
@nikstur did some groundwork for making NixOS activation less reliant on Bash scripts
@JulienMalka had fruitful exchanges with @arianvp and @mschwaig on further developing build reproducibility infrastructure

@multivac61 iterated on the FOD tracker design with @Mic92, and refined a plan for rolling it out to Nixpkgs CI checks. The necessary API surface is now implemented, and some scalability issues were ironed out. Next up will be supporting incremental and periodic consistency checks.

@das_J and @Conni2461 together with @hexa and @mic92 collected requirements for rewriting Hydra’s queue runner, which is currently a bottleneck that prevents utilising our full build server capacity. There is a (to be published) prototype that connects to the Hydra database and manages the entire communication between the scheduler and workers. Next up would be constructing sensible build queues, after which the prototype should be ready for testing and open for further improvements.

In other news, the initial investment from the Sovereign Tech Challenge in the Nix ecosystem is bearing fruit: The prototype Nixpkgs vulnerability tracker received private follow-up funding to get it ready for productive use.

Stay up to date

Subscribe to this thread to be notified of updates as milestones are reached!

drupol · May 30, 2025, 4:22pm

Amazing news !!! Looking forward for the outcome.

PhilipTaron · May 31, 2025, 2:26am

I’ve never subscribed to a thread faster. Amazing news and a great set of projects. If anyone wants to blast out how to help on any of these efforts, especially if it’s user testing or building or self-hosting, I know I’m not the only one eager to help.

linj · May 31, 2025, 4:18am

I am glad to see efforts about improving nix evaluator performance. Just curious, what is the multi-evaluator support?

Really looking forward to an improved build farm. I hope rebuilds of a flat package set that consists of thousands of small packages (each takes a few seconds to build) can go directly into master instead of staging one day.

arianvp · May 31, 2025, 7:55am

Paying taxes has never been so fun. I’m happy to see this come to fruition!

matthewcroughan · May 31, 2025, 9:54am

230,000 amounts to 0.00002% of Germany’s tax revenue. Which is awesome. I wish my government in the UK would do something obvious and good like this. Or maybe I should be paying German taxes instead. The nix repl failed to calculate this, so I had to nix-shell a better calculator.

❯ nix repl
Nix 2.28.3
Type :? for help.
nix-repl> (230000 / 947700000000) * 100
0

❯ nix-shell -p calc
this path will be fetched (0.85 MiB download, 5.28 MiB unpacked):
  /nix/store/33hds0liqby9s2mn2gy16yz230kgw9qf-calc-2.15.0.2
copying path '/nix/store/33hds0liqby9s2mn2gy16yz230kgw9qf-calc-2.15.0.2' from 'https://cache.nixos.org'...

❯ calc
C-style arbitrary precision calculator (version 2.15.0.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; (230000 / 947700000000) * 100
	~0.00002426928352854279

nh2 · May 31, 2025, 10:31am

@matthewcroughan Your numbers are off by factor 100.

947.7 billion is not

9 477 000 000

(that is ~9 billion).

matthewcroughan · May 31, 2025, 10:35am

That only makes it more incredible. Thanks for catching, edited above.

nh2 · May 31, 2025, 10:38am

That makes it more credible in my opinion – a much smaller fraction of Germany’s tax money is spent on Nix.

matthewcroughan · May 31, 2025, 10:45am

Not only do I fail at math, but also at English. Though google defines “incredible” as “difficult to believe; extraordinary”. I’m shocked at how small a number this is. Compare it to the GDP which is 4.5 trillion, and wow again. Open source gets so little, and deserved more recognition long ago. I now wonder how much other projects or things get from tax revenue so we can add it all up.

matthewcroughan · May 31, 2025, 11:10am

On that note, I just found Sovereign Tech Agency - Wikipedia, which details some of the other funding that the agency has given. I calculated the total funding to be around 16669152 EUR, which comes to 0.18% of German tax revenue.

fndov · May 31, 2025, 10:32pm

This is wonderful news!

roberth · June 3, 2025, 10:12am

A bit lost in translation, probably to keep the proposal brief.
It refers to the possibility to have multiple “implementations” of an abstract evaluator interface, more so than multiple instances of the current implementation, which already mostly works¹.
Currently when code talks to the evaluation cache, it is quite different from other code that talks directly to the evaluator, yet it has to fall back on the uncached operations for some things.

This item is more of an architectural change and an intermediate step than a user-facing improvement.

¹ Multiple instances works in unit tests. Probably not useful in practice, and not tested in practice. Usefulness might improve after other changes which are not part of any current plans.